Gitiles
Code Review Sign In
gerrit.openfyde.cn / boringssl.googlesource.com / boringssl / 02084ea3988446273558881a7e728b04d7338350 / . / ssl / test / runner / runner.go
blob: eeb623507a54918103858cb70ad70c72cc89f20b [file] [log] [blame]
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]1// Copyright (c) 2016, Google Inc.
2//
3// Permission to use, copy, modify, and/or distribute this software for any
4// purpose with or without fee is hereby granted, provided that the above
5// copyright notice and this permission notice appear in all copies.
6//
7// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
8// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
9// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
10// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
11// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
12// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
David Benjamin0d1b0962016-08-01 09:50:57 -0400[diff] [blame]13// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
Adam Langley7fcfd3b2016-05-20 11:02:50 -0700[diff] [blame]14
Adam Langleydc7e9c42015-09-29 15:21:04 -0700[diff] [blame]15package runner
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]16
17import (
18 "bytes"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]19 "crypto/ecdsa"
20 "crypto/elliptic"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]21 "crypto/rand"
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]22 "crypto/x509"
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]23 "crypto/x509/pkix"
David Benjamin2561dc32014-08-24 01:25:27 -0400[diff] [blame]24 "encoding/base64"
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]25 "encoding/hex"
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]26 "encoding/json"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]27 "encoding/pem"
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]28 "errors"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]29 "flag"
30 "fmt"
31 "io"
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]32 "io/ioutil"
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]33 "math/big"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]34 "net"
35 "os"
36 "os/exec"
David Benjamin884fdf12014-08-02 15:28:23 -0400[diff] [blame]37 "path"
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]38 "path/filepath"
David Benjamin2bc8e6f2014-08-02 15:22:37 -0400[diff] [blame]39 "runtime"
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]40 "strconv"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]41 "strings"
42 "sync"
43 "syscall"
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]44 "time"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]45)
46
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]47var (
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]48 useValgrind = flag.Bool("valgrind", false, "If true, run code under valgrind")
49 useGDB = flag.Bool("gdb", false, "If true, run BoringSSL code under gdb")
50 useLLDB = flag.Bool("lldb", false, "If true, run BoringSSL code under lldb")
51 flagDebug = flag.Bool("debug", false, "Hexdump the contents of the connection")
52 mallocTest = flag.Int64("malloc-test", -1, "If non-negative, run each test with each malloc in turn failing from the given number onwards.")
53 mallocTestDebug = flag.Bool("malloc-test-debug", false, "If true, ask bssl_shim to abort rather than fail a malloc. This can be used with a specific value for --malloc-test to identity the malloc failing that is causing problems.")
54 jsonOutput = flag.String("json-output", "", "The file to output JSON results to.")
55 pipe = flag.Bool("pipe", false, "If true, print status output suitable for piping into another program.")
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]56 testToRun = flag.String("test", "", "The pattern to filter tests to run, or empty to run all tests")
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]57 numWorkers = flag.Int("num-workers", runtime.NumCPU(), "The number of workers to run in parallel.")
58 shimPath = flag.String("shim-path", "../../../build/ssl/test/bssl_shim", "The location of the shim binary.")
59 resourceDir = flag.String("resource-dir", ".", "The directory in which to find certificate and key files.")
60 fuzzer = flag.Bool("fuzzer", false, "If true, tests against a BoringSSL built in fuzzer mode.")
61 transcriptDir = flag.String("transcript-dir", "", "The directory in which to write transcripts.")
62 idleTimeout = flag.Duration("idle-timeout", 15*time.Second, "The number of seconds to wait for a read or write to bssl_shim.")
63 deterministic = flag.Bool("deterministic", false, "If true, uses a deterministic PRNG in the runner.")
64 allowUnimplemented = flag.Bool("allow-unimplemented", false, "If true, report pass even if some tests are unimplemented.")
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]65 looseErrors = flag.Bool("loose-errors", false, "If true, allow shims to report an untranslated error code.")
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]66 shimConfigFile = flag.String("shim-config", "", "A config file to use to configure the tests for this shim.")
67 includeDisabled = flag.Bool("include-disabled", false, "If true, also runs disabled tests.")
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]68 includeDHE = flag.Bool("include-dhe", false, "If true, test DHE ciphersuites.")
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]69 repeatUntilFailure = flag.Bool("repeat-until-failure", false, "If true, the first selected test will be run repeatedly until failure.")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]70)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]71
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]72// ShimConfigurations is used with the “json” package and represents a shim
73// config file.
74type ShimConfiguration struct {
75 // DisabledTests maps from a glob-based pattern to a freeform string.
76 // The glob pattern is used to exclude tests from being run and the
77 // freeform string is unparsed but expected to explain why the test is
78 // disabled.
79 DisabledTests map[string]string
80
81 // ErrorMap maps from expected error strings to the correct error
82 // string for the shim in question. For example, it might map
83 // “:NO_SHARED_CIPHER:” (a BoringSSL error string) to something
84 // like “SSL_ERROR_NO_CYPHER_OVERLAP”.
85 ErrorMap map[string]string
86}
87
88var shimConfig ShimConfiguration
89
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]90type testCert int
91
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]92const (
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]93 testCertRSA testCert = iota
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]94 testCertRSA1024
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]95 testCertRSAChain
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]96 testCertECDSAP224
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]97 testCertECDSAP256
98 testCertECDSAP384
99 testCertECDSAP521
100)
101
102const (
103 rsaCertificateFile = "cert.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]104 rsa1024CertificateFile = "rsa_1024_cert.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]105 rsaChainCertificateFile = "rsa_chain_cert.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]106 ecdsaP224CertificateFile = "ecdsa_p224_cert.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]107 ecdsaP256CertificateFile = "ecdsa_p256_cert.pem"
108 ecdsaP384CertificateFile = "ecdsa_p384_cert.pem"
109 ecdsaP521CertificateFile = "ecdsa_p521_cert.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]110)
111
112const (
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]113 rsaKeyFile = "key.pem"
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]114 rsa1024KeyFile = "rsa_1024_key.pem"
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]115 rsaChainKeyFile = "rsa_chain_key.pem"
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]116 ecdsaP224KeyFile = "ecdsa_p224_key.pem"
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]117 ecdsaP256KeyFile = "ecdsa_p256_key.pem"
118 ecdsaP384KeyFile = "ecdsa_p384_key.pem"
119 ecdsaP521KeyFile = "ecdsa_p521_key.pem"
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]120 channelIDKeyFile = "channel_id_key.pem"
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]121)
122
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]123var (
124 rsaCertificate Certificate
125 rsa1024Certificate Certificate
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]126 rsaChainCertificate Certificate
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]127 ecdsaP224Certificate Certificate
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]128 ecdsaP256Certificate Certificate
129 ecdsaP384Certificate Certificate
130 ecdsaP521Certificate Certificate
131)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]132
133var testCerts = []struct {
134 id testCert
135 certFile, keyFile string
136 cert *Certificate
137}{
138 {
139 id: testCertRSA,
140 certFile: rsaCertificateFile,
141 keyFile: rsaKeyFile,
142 cert: &rsaCertificate,
143 },
144 {
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]145 id: testCertRSA1024,
146 certFile: rsa1024CertificateFile,
147 keyFile: rsa1024KeyFile,
148 cert: &rsa1024Certificate,
149 },
150 {
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]151 id: testCertRSAChain,
152 certFile: rsaChainCertificateFile,
153 keyFile: rsaChainKeyFile,
154 cert: &rsaChainCertificate,
155 },
156 {
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]157 id: testCertECDSAP224,
158 certFile: ecdsaP224CertificateFile,
159 keyFile: ecdsaP224KeyFile,
160 cert: &ecdsaP224Certificate,
161 },
162 {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]163 id: testCertECDSAP256,
164 certFile: ecdsaP256CertificateFile,
165 keyFile: ecdsaP256KeyFile,
166 cert: &ecdsaP256Certificate,
167 },
168 {
169 id: testCertECDSAP384,
170 certFile: ecdsaP384CertificateFile,
171 keyFile: ecdsaP384KeyFile,
172 cert: &ecdsaP384Certificate,
173 },
174 {
175 id: testCertECDSAP521,
176 certFile: ecdsaP521CertificateFile,
177 keyFile: ecdsaP521KeyFile,
178 cert: &ecdsaP521Certificate,
179 },
180}
181
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]182var channelIDKey *ecdsa.PrivateKey
183var channelIDBytes []byte
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]184
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]185var testOCSPResponse = []byte{1, 2, 3, 4}
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]186var testSCTList = []byte{0, 6, 0, 4, 5, 6, 7, 8}
David Benjamin61f95272014-11-25 01:55:35 -0500[diff] [blame]187
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]188var testOCSPExtension = append([]byte{byte(extensionStatusRequest) >> 8, byte(extensionStatusRequest), 0, 8, statusTypeOCSP, 0, 0, 4}, testOCSPResponse...)
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]189var testSCTExtension = append([]byte{byte(extensionSignedCertificateTimestamp) >> 8, byte(extensionSignedCertificateTimestamp), 0, byte(len(testSCTList))}, testSCTList...)
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]190
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]191func initCertificates() {
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]192 for i := range testCerts {
193 cert, err := LoadX509KeyPair(path.Join(*resourceDir, testCerts[i].certFile), path.Join(*resourceDir, testCerts[i].keyFile))
194 if err != nil {
195 panic(err)
196 }
197 cert.OCSPStaple = testOCSPResponse
198 cert.SignedCertificateTimestampList = testSCTList
199 *testCerts[i].cert = cert
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]200 }
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]201
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]202 channelIDPEMBlock, err := ioutil.ReadFile(path.Join(*resourceDir, channelIDKeyFile))
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]203 if err != nil {
204 panic(err)
205 }
206 channelIDDERBlock, _ := pem.Decode(channelIDPEMBlock)
207 if channelIDDERBlock.Type != "EC PRIVATE KEY" {
208 panic("bad key type")
209 }
210 channelIDKey, err = x509.ParseECPrivateKey(channelIDDERBlock.Bytes)
211 if err != nil {
212 panic(err)
213 }
214 if channelIDKey.Curve != elliptic.P256() {
215 panic("bad curve")
216 }
217
218 channelIDBytes = make([]byte, 64)
219 writeIntPadded(channelIDBytes[:32], channelIDKey.X)
220 writeIntPadded(channelIDBytes[32:], channelIDKey.Y)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]221}
222
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]223func getRunnerCertificate(t testCert) Certificate {
224 for _, cert := range testCerts {
225 if cert.id == t {
226 return *cert.cert
227 }
228 }
229 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]230}
231
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]232func getShimCertificate(t testCert) string {
233 for _, cert := range testCerts {
234 if cert.id == t {
235 return cert.certFile
236 }
237 }
238 panic("Unknown test certificate")
239}
240
241func getShimKey(t testCert) string {
242 for _, cert := range testCerts {
243 if cert.id == t {
244 return cert.keyFile
245 }
246 }
247 panic("Unknown test certificate")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]248}
249
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]250// encodeDERValues encodes a series of bytestrings in comma-separated-hex form.
251func encodeDERValues(values [][]byte) string {
252 var ret string
253 for i, v := range values {
254 if i > 0 {
255 ret += ","
256 }
257 ret += hex.EncodeToString(v)
258 }
259
260 return ret
261}
262
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]263type testType int
264
265const (
266 clientTest testType = iota
267 serverTest
268)
269
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]270type protocol int
271
272const (
273 tls protocol = iota
274 dtls
275)
276
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]277const (
278 alpn = 1
279 npn = 2
280)
281
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]282type testCase struct {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]283 testType testType
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]284 protocol protocol
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]285 name string
286 config Config
287 shouldFail bool
288 expectedError string
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]289 // expectedLocalError, if not empty, contains a substring that must be
290 // found in the local error.
291 expectedLocalError string
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]292 // expectedVersion, if non-zero, specifies the TLS version that must be
293 // negotiated.
294 expectedVersion uint16
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]295 // expectedResumeVersion, if non-zero, specifies the TLS version that
296 // must be negotiated on resumption. If zero, expectedVersion is used.
297 expectedResumeVersion uint16
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]298 // expectedCipher, if non-zero, specifies the TLS cipher suite that
299 // should be negotiated.
300 expectedCipher uint16
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]301 // expectChannelID controls whether the connection should have
302 // negotiated a Channel ID with channelIDKey.
303 expectChannelID bool
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]304 // expectedNextProto controls whether the connection should
305 // negotiate a next protocol via NPN or ALPN.
306 expectedNextProto string
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]307 // expectNoNextProto, if true, means that no next protocol should be
308 // negotiated.
309 expectNoNextProto bool
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]310 // expectedNextProtoType, if non-zero, is the expected next
311 // protocol negotiation mechanism.
312 expectedNextProtoType int
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]313 // expectedSRTPProtectionProfile is the DTLS-SRTP profile that
314 // should be negotiated. If zero, none should be negotiated.
315 expectedSRTPProtectionProfile uint16
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]316 // expectedOCSPResponse, if not nil, is the expected OCSP response to be received.
317 expectedOCSPResponse []uint8
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]318 // expectedSCTList, if not nil, is the expected SCT list to be received.
319 expectedSCTList []uint8
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]320 // expectedPeerSignatureAlgorithm, if not zero, is the signature
321 // algorithm that the peer should have used in the handshake.
322 expectedPeerSignatureAlgorithm signatureAlgorithm
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]323 // expectedCurveID, if not zero, is the curve that the handshake should
324 // have used.
325 expectedCurveID CurveID
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]326 // messageLen is the length, in bytes, of the test message that will be
327 // sent.
328 messageLen int
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]329 // messageCount is the number of test messages that will be sent.
330 messageCount int
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]331 // certFile is the path to the certificate to use for the server.
332 certFile string
333 // keyFile is the path to the private key to use for the server.
334 keyFile string
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]335 // resumeSession controls whether a second connection should be tested
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]336 // which attempts to resume the first session.
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]337 resumeSession bool
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]338 // resumeRenewedSession controls whether a third connection should be
339 // tested which attempts to resume the second connection's session.
340 resumeRenewedSession bool
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]341 // expectResumeRejected, if true, specifies that the attempted
342 // resumption must be rejected by the client. This is only valid for a
343 // serverTest.
344 expectResumeRejected bool
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]345 // resumeConfig, if not nil, points to a Config to be used on
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]346 // resumption. Unless newSessionsOnResume is set,
347 // SessionTicketKey, ServerSessionCache, and
348 // ClientSessionCache are copied from the initial connection's
349 // config. If nil, the initial connection's config is used.
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]350 resumeConfig *Config
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]351 // newSessionsOnResume, if true, will cause resumeConfig to
352 // use a different session resumption context.
353 newSessionsOnResume bool
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]354 // noSessionCache, if true, will cause the server to run without a
355 // session cache.
356 noSessionCache bool
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]357 // sendPrefix sends a prefix on the socket before actually performing a
358 // handshake.
359 sendPrefix string
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]360 // shimWritesFirst controls whether the shim sends an initial "hello"
361 // message before doing a roundtrip with the runner.
362 shimWritesFirst bool
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]363 // shimShutsDown, if true, runs a test where the shim shuts down the
364 // connection immediately after the handshake rather than echoing
365 // messages from the runner.
366 shimShutsDown bool
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]367 // renegotiate indicates the number of times the connection should be
368 // renegotiated during the exchange.
369 renegotiate int
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]370 // sendHalfHelloRequest, if true, causes the server to send half a
371 // HelloRequest when the handshake completes.
372 sendHalfHelloRequest bool
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]373 // renegotiateCiphers is a list of ciphersuite ids that will be
374 // switched in just before renegotiation.
375 renegotiateCiphers []uint16
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]376 // replayWrites, if true, configures the underlying transport
377 // to replay every write it makes in DTLS tests.
378 replayWrites bool
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]379 // damageFirstWrite, if true, configures the underlying transport to
380 // damage the final byte of the first application data write.
381 damageFirstWrite bool
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]382 // exportKeyingMaterial, if non-zero, configures the test to exchange
383 // keying material and verify they match.
384 exportKeyingMaterial int
385 exportLabel string
386 exportContext string
387 useExportContext bool
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]388 // flags, if not empty, contains a list of command-line flags that will
389 // be passed to the shim program.
390 flags []string
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]391 // testTLSUnique, if true, causes the shim to send the tls-unique value
392 // which will be compared against the expected value.
393 testTLSUnique bool
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]394 // sendEmptyRecords is the number of consecutive empty records to send
395 // before and after the test message.
396 sendEmptyRecords int
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]397 // sendWarningAlerts is the number of consecutive warning alerts to send
398 // before and after the test message.
399 sendWarningAlerts int
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]400 // sendKeyUpdates is the number of consecutive key updates to send
401 // before and after the test message.
402 sendKeyUpdates int
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]403 // keyUpdateRequest is the KeyUpdateRequest value to send in KeyUpdate messages.
404 keyUpdateRequest byte
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]405 // expectMessageDropped, if true, means the test message is expected to
406 // be dropped by the client rather than echoed back.
407 expectMessageDropped bool
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]408 // expectPeerCertificate, if not nil, is the certificate chain the peer
409 // is expected to send.
410 expectPeerCertificate *Certificate
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]411}
412
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]413var testCases []testCase
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]414
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]415func writeTranscript(test *testCase, num int, data []byte) {
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]416 if len(data) == 0 {
417 return
418 }
419
420 protocol := "tls"
421 if test.protocol == dtls {
422 protocol = "dtls"
423 }
424
425 side := "client"
426 if test.testType == serverTest {
427 side = "server"
428 }
429
430 dir := path.Join(*transcriptDir, protocol, side)
431 if err := os.MkdirAll(dir, 0755); err != nil {
432 fmt.Fprintf(os.Stderr, "Error making %s: %s\n", dir, err)
433 return
434 }
435
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]436 name := fmt.Sprintf("%s-%d", test.name, num)
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]437 if err := ioutil.WriteFile(path.Join(dir, name), data, 0644); err != nil {
438 fmt.Fprintf(os.Stderr, "Error writing %s: %s\n", name, err)
439 }
440}
441
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]442// A timeoutConn implements an idle timeout on each Read and Write operation.
443type timeoutConn struct {
444 net.Conn
445 timeout time.Duration
446}
447
448func (t *timeoutConn) Read(b []byte) (int, error) {
449 if err := t.SetReadDeadline(time.Now().Add(t.timeout)); err != nil {
450 return 0, err
451 }
452 return t.Conn.Read(b)
453}
454
455func (t *timeoutConn) Write(b []byte) (int, error) {
456 if err := t.SetWriteDeadline(time.Now().Add(t.timeout)); err != nil {
457 return 0, err
458 }
459 return t.Conn.Write(b)
460}
461
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]462func doExchange(test *testCase, config *Config, conn net.Conn, isResume bool, num int) error {
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]463 if !test.noSessionCache {
464 if config.ClientSessionCache == nil {
465 config.ClientSessionCache = NewLRUClientSessionCache(1)
466 }
467 if config.ServerSessionCache == nil {
468 config.ServerSessionCache = NewLRUServerSessionCache(1)
469 }
470 }
471 if test.testType == clientTest {
472 if len(config.Certificates) == 0 {
473 config.Certificates = []Certificate{rsaCertificate}
474 }
475 } else {
476 // Supply a ServerName to ensure a constant session cache key,
477 // rather than falling back to net.Conn.RemoteAddr.
478 if len(config.ServerName) == 0 {
479 config.ServerName = "test"
480 }
481 }
482 if *fuzzer {
483 config.Bugs.NullAllCiphers = true
484 }
David Benjamin01a90572016-09-22 00:11:43 -0400[diff] [blame]485 if *deterministic {
486 config.Time = func() time.Time { return time.Unix(1234, 1234) }
487 }
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]488
David Benjamin01784b42016-06-07 18:00:52 -0400[diff] [blame]489 conn = &timeoutConn{conn, *idleTimeout}
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]490
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]491 if test.protocol == dtls {
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]492 config.Bugs.PacketAdaptor = newPacketAdaptor(conn)
493 conn = config.Bugs.PacketAdaptor
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]494 }
495
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]496 if *flagDebug || len(*transcriptDir) != 0 {
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]497 local, peer := "client", "server"
498 if test.testType == clientTest {
499 local, peer = peer, local
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]500 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]501 connDebug := &recordingConn{
502 Conn: conn,
503 isDatagram: test.protocol == dtls,
504 local: local,
505 peer: peer,
506 }
507 conn = connDebug
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]508 if *flagDebug {
509 defer connDebug.WriteTo(os.Stdout)
510 }
511 if len(*transcriptDir) != 0 {
512 defer func() {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]513 writeTranscript(test, num, connDebug.Transcript())
David Benjamin9867b7d2016-03-01 23:25:48 -0500[diff] [blame]514 }()
515 }
David Benjaminebda9b32015-11-02 15:33:18 -0500[diff] [blame]516
517 if config.Bugs.PacketAdaptor != nil {
518 config.Bugs.PacketAdaptor.debug = connDebug
519 }
520 }
521
522 if test.replayWrites {
523 conn = newReplayAdaptor(conn)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]524 }
525
David Benjamin3ed59772016-03-08 12:50:21 -0500[diff] [blame]526 var connDamage *damageAdaptor
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]527 if test.damageFirstWrite {
528 connDamage = newDamageAdaptor(conn)
529 conn = connDamage
530 }
531
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]532 if test.sendPrefix != "" {
533 if _, err := conn.Write([]byte(test.sendPrefix)); err != nil {
534 return err
535 }
David Benjamin98e882e2014-08-08 13:24:34 -0400[diff] [blame]536 }
537
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]538 var tlsConn *Conn
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]539 if test.testType == clientTest {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]540 if test.protocol == dtls {
541 tlsConn = DTLSServer(conn, config)
542 } else {
543 tlsConn = Server(conn, config)
544 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]545 } else {
546 config.InsecureSkipVerify = true
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]547 if test.protocol == dtls {
548 tlsConn = DTLSClient(conn, config)
549 } else {
550 tlsConn = Client(conn, config)
551 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]552 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]553 defer tlsConn.Close()
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]554
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]555 if err := tlsConn.Handshake(); err != nil {
556 return err
557 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]558
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]559 // TODO(davidben): move all per-connection expectations into a dedicated
560 // expectations struct that can be specified separately for the two
561 // legs.
562 expectedVersion := test.expectedVersion
563 if isResume && test.expectedResumeVersion != 0 {
564 expectedVersion = test.expectedResumeVersion
565 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]566 connState := tlsConn.ConnectionState()
567 if vers := connState.Version; expectedVersion != 0 && vers != expectedVersion {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]568 return fmt.Errorf("got version %x, expected %x", vers, expectedVersion)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]569 }
570
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]571 if cipher := connState.CipherSuite; test.expectedCipher != 0 && cipher != test.expectedCipher {
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]572 return fmt.Errorf("got cipher %x, expected %x", cipher, test.expectedCipher)
573 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]574 if didResume := connState.DidResume; isResume && didResume == test.expectResumeRejected {
575 return fmt.Errorf("didResume is %t, but we expected the opposite", didResume)
576 }
David Benjamin90da8c82015-04-20 14:57:57 -0400[diff] [blame]577
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]578 if test.expectChannelID {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]579 channelID := connState.ChannelID
David Benjamina08e49d2014-08-24 01:46:07 -0400[diff] [blame]580 if channelID == nil {
581 return fmt.Errorf("no channel ID negotiated")
582 }
583 if channelID.Curve != channelIDKey.Curve ||
584 channelIDKey.X.Cmp(channelIDKey.X) != 0 ||
585 channelIDKey.Y.Cmp(channelIDKey.Y) != 0 {
586 return fmt.Errorf("incorrect channel ID")
587 }
588 }
589
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]590 if expected := test.expectedNextProto; expected != "" {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]591 if actual := connState.NegotiatedProtocol; actual != expected {
David Benjaminae2888f2014-09-06 12:58:58 -0400[diff] [blame]592 return fmt.Errorf("next proto mismatch: got %s, wanted %s", actual, expected)
593 }
594 }
595
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]596 if test.expectNoNextProto {
597 if actual := connState.NegotiatedProtocol; actual != "" {
598 return fmt.Errorf("got unexpected next proto %s", actual)
599 }
600 }
601
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]602 if test.expectedNextProtoType != 0 {
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]603 if (test.expectedNextProtoType == alpn) != connState.NegotiatedProtocolFromALPN {
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]604 return fmt.Errorf("next proto type mismatch")
605 }
606 }
607
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]608 if p := connState.SRTPProtectionProfile; p != test.expectedSRTPProtectionProfile {
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]609 return fmt.Errorf("SRTP profile mismatch: got %d, wanted %d", p, test.expectedSRTPProtectionProfile)
610 }
611
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]612 if test.expectedOCSPResponse != nil && !bytes.Equal(test.expectedOCSPResponse, tlsConn.OCSPResponse()) {
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]613 return fmt.Errorf("OCSP Response mismatch: got %x, wanted %x", tlsConn.OCSPResponse(), test.expectedOCSPResponse)
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]614 }
615
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]616 if test.expectedSCTList != nil && !bytes.Equal(test.expectedSCTList, connState.SCTList) {
617 return fmt.Errorf("SCT list mismatch")
618 }
619
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]620 if expected := test.expectedPeerSignatureAlgorithm; expected != 0 && expected != connState.PeerSignatureAlgorithm {
621 return fmt.Errorf("expected peer to use signature algorithm %04x, but got %04x", expected, connState.PeerSignatureAlgorithm)
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]622 }
623
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]624 if expected := test.expectedCurveID; expected != 0 && expected != connState.CurveID {
625 return fmt.Errorf("expected peer to use curve %04x, but got %04x", expected, connState.CurveID)
626 }
627
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]628 if test.expectPeerCertificate != nil {
629 if len(connState.PeerCertificates) != len(test.expectPeerCertificate.Certificate) {
630 return fmt.Errorf("expected peer to send %d certificates, but got %d", len(connState.PeerCertificates), len(test.expectPeerCertificate.Certificate))
631 }
632 for i, cert := range connState.PeerCertificates {
633 if !bytes.Equal(cert.Raw, test.expectPeerCertificate.Certificate[i]) {
634 return fmt.Errorf("peer certificate %d did not match", i+1)
635 }
636 }
637 }
638
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]639 if test.exportKeyingMaterial > 0 {
640 actual := make([]byte, test.exportKeyingMaterial)
641 if _, err := io.ReadFull(tlsConn, actual); err != nil {
642 return err
643 }
644 expected, err := tlsConn.ExportKeyingMaterial(test.exportKeyingMaterial, []byte(test.exportLabel), []byte(test.exportContext), test.useExportContext)
645 if err != nil {
646 return err
647 }
648 if !bytes.Equal(actual, expected) {
649 return fmt.Errorf("keying material mismatch")
650 }
651 }
652
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]653 if test.testTLSUnique {
654 var peersValue [12]byte
655 if _, err := io.ReadFull(tlsConn, peersValue[:]); err != nil {
656 return err
657 }
658 expected := tlsConn.ConnectionState().TLSUnique
659 if !bytes.Equal(peersValue[:], expected) {
660 return fmt.Errorf("tls-unique mismatch: peer sent %x, but %x was expected", peersValue[:], expected)
661 }
662 }
663
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]664 if test.shimWritesFirst {
665 var buf [5]byte
666 _, err := io.ReadFull(tlsConn, buf[:])
667 if err != nil {
668 return err
669 }
670 if string(buf[:]) != "hello" {
671 return fmt.Errorf("bad initial message")
672 }
673 }
674
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]675 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]676 if err := tlsConn.SendKeyUpdate(test.keyUpdateRequest); err != nil {
David Benjamin7f0965a2016-09-30 15:14:01 -0400[diff] [blame]677 return err
678 }
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]679 }
680
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]681 for i := 0; i < test.sendEmptyRecords; i++ {
682 tlsConn.Write(nil)
683 }
684
David Benjamin24f346d2015-06-06 03:28:08 -0400[diff] [blame]685 for i := 0; i < test.sendWarningAlerts; i++ {
686 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
687 }
688
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]689 if test.sendHalfHelloRequest {
690 tlsConn.SendHalfHelloRequest()
691 }
692
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]693 if test.renegotiate > 0 {
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]694 if test.renegotiateCiphers != nil {
695 config.CipherSuites = test.renegotiateCiphers
696 }
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]697 for i := 0; i < test.renegotiate; i++ {
698 if err := tlsConn.Renegotiate(); err != nil {
699 return err
700 }
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]701 }
702 } else if test.renegotiateCiphers != nil {
703 panic("renegotiateCiphers without renegotiate")
704 }
705
David Benjamin5fa3eba2015-01-22 16:35:40 -0500[diff] [blame]706 if test.damageFirstWrite {
707 connDamage.setDamage(true)
708 tlsConn.Write([]byte("DAMAGED WRITE"))
709 connDamage.setDamage(false)
710 }
711
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]712 messageLen := test.messageLen
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]713 if messageLen < 0 {
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]714 if test.protocol == dtls {
715 return fmt.Errorf("messageLen < 0 not supported for DTLS tests")
716 }
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]717 // Read until EOF.
718 _, err := io.Copy(ioutil.Discard, tlsConn)
719 return err
720 }
David Benjamin4417d052015-04-05 04:17:25 -0400[diff] [blame]721 if messageLen == 0 {
722 messageLen = 32
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]723 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]724
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]725 messageCount := test.messageCount
726 if messageCount == 0 {
727 messageCount = 1
David Benjamina8ebe222015-06-06 03:04:39 -0400[diff] [blame]728 }
729
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]730 for j := 0; j < messageCount; j++ {
731 testMessage := make([]byte, messageLen)
732 for i := range testMessage {
733 testMessage[i] = 0x42 ^ byte(j)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]734 }
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]735 tlsConn.Write(testMessage)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]736
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]737 for i := 0; i < test.sendKeyUpdates; i++ {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]738 tlsConn.SendKeyUpdate(test.keyUpdateRequest)
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]739 }
740
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]741 for i := 0; i < test.sendEmptyRecords; i++ {
742 tlsConn.Write(nil)
743 }
744
745 for i := 0; i < test.sendWarningAlerts; i++ {
746 tlsConn.SendAlert(alertLevelWarning, alertUnexpectedMessage)
747 }
748
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]749 if test.shimShutsDown || test.expectMessageDropped {
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]750 // The shim will not respond.
751 continue
752 }
753
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]754 buf := make([]byte, len(testMessage))
755 if test.protocol == dtls {
756 bufTmp := make([]byte, len(buf)+1)
757 n, err := tlsConn.Read(bufTmp)
758 if err != nil {
759 return err
760 }
761 if n != len(buf) {
762 return fmt.Errorf("bad reply; length mismatch (%d vs %d)", n, len(buf))
763 }
764 copy(buf, bufTmp)
765 } else {
766 _, err := io.ReadFull(tlsConn, buf)
767 if err != nil {
768 return err
769 }
770 }
771
772 for i, v := range buf {
773 if v != testMessage[i]^0xff {
774 return fmt.Errorf("bad reply contents at byte %d", i)
775 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]776 }
777 }
778
779 return nil
780}
781
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]782func valgrindOf(dbAttach bool, path string, args ...string) *exec.Cmd {
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]783 valgrindArgs := []string{"--error-exitcode=99", "--track-origins=yes", "--leak-check=full", "--quiet"}
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]784 if dbAttach {
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]785 valgrindArgs = append(valgrindArgs, "--db-attach=yes", "--db-command=xterm -e gdb -nw %f %p")
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]786 }
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]787 valgrindArgs = append(valgrindArgs, path)
788 valgrindArgs = append(valgrindArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]789
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]790 return exec.Command("valgrind", valgrindArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]791}
792
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]793func gdbOf(path string, args ...string) *exec.Cmd {
794 xtermArgs := []string{"-e", "gdb", "--args"}
795 xtermArgs = append(xtermArgs, path)
796 xtermArgs = append(xtermArgs, args...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]797
David Benjamin325b5c32014-07-01 19:40:31 -0400[diff] [blame]798 return exec.Command("xterm", xtermArgs...)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]799}
800
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]801func lldbOf(path string, args ...string) *exec.Cmd {
802 xtermArgs := []string{"-e", "lldb", "--"}
803 xtermArgs = append(xtermArgs, path)
804 xtermArgs = append(xtermArgs, args...)
805
806 return exec.Command("xterm", xtermArgs...)
807}
808
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]809var (
810 errMoreMallocs = errors.New("child process did not exhaust all allocation calls")
811 errUnimplemented = errors.New("child process does not implement needed flags")
812)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]813
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]814// accept accepts a connection from listener, unless waitChan signals a process
815// exit first.
816func acceptOrWait(listener net.Listener, waitChan chan error) (net.Conn, error) {
817 type connOrError struct {
818 conn net.Conn
819 err error
820 }
821 connChan := make(chan connOrError, 1)
822 go func() {
823 conn, err := listener.Accept()
824 connChan <- connOrError{conn, err}
825 close(connChan)
826 }()
827 select {
828 case result := <-connChan:
829 return result.conn, result.err
830 case childErr := <-waitChan:
831 waitChan <- childErr
832 return nil, fmt.Errorf("child exited early: %s", childErr)
833 }
834}
835
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]836func translateExpectedError(errorStr string) string {
837 if translated, ok := shimConfig.ErrorMap[errorStr]; ok {
838 return translated
839 }
840
841 if *looseErrors {
842 return ""
843 }
844
845 return errorStr
846}
847
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]848func runTest(test *testCase, shimPath string, mallocNumToFail int64) error {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]849 // Help debugging panics on the Go side.
850 defer func() {
851 if r := recover(); r != nil {
852 fmt.Fprintf(os.Stderr, "Test '%s' panicked.\n", test.name)
853 panic(r)
854 }
855 }()
856
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]857 if !test.shouldFail && (len(test.expectedError) > 0 || len(test.expectedLocalError) > 0) {
858 panic("Error expected without shouldFail in " + test.name)
859 }
860
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]861 if test.expectResumeRejected && !test.resumeSession {
862 panic("expectResumeRejected without resumeSession in " + test.name)
863 }
864
Adam Langley33b1d4f2016-12-07 15:03:45 -0800[diff] [blame]865 for _, ver := range tlsVersions {
866 if !strings.Contains("-"+test.name+"-", "-"+ver.name+"-") {
867 continue
868 }
869
870 if test.config.MaxVersion != 0 || test.config.MinVersion != 0 || test.expectedVersion != 0 {
871 continue
872 }
873
874 panic(fmt.Sprintf("The name of test %q suggests that it's version specific, but min/max version in the Config is %x/%x. One of them should probably be %x", test.name, test.config.MinVersion, test.config.MaxVersion, ver.version))
875 }
876
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]877 listener, err := net.ListenTCP("tcp4", &net.TCPAddr{IP: net.IP{127, 0, 0, 1}})
878 if err != nil {
879 panic(err)
880 }
881 defer func() {
882 if listener != nil {
883 listener.Close()
884 }
885 }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]886
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]887 flags := []string{"-port", strconv.Itoa(listener.Addr().(*net.TCPAddr).Port)}
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]888 if test.testType == serverTest {
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]889 flags = append(flags, "-server")
890
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]891 flags = append(flags, "-key-file")
892 if test.keyFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]893 flags = append(flags, path.Join(*resourceDir, rsaKeyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]894 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]895 flags = append(flags, path.Join(*resourceDir, test.keyFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]896 }
897
898 flags = append(flags, "-cert-file")
899 if test.certFile == "" {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]900 flags = append(flags, path.Join(*resourceDir, rsaCertificateFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]901 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]902 flags = append(flags, path.Join(*resourceDir, test.certFile))
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]903 }
904 }
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]905
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]906 if test.protocol == dtls {
907 flags = append(flags, "-dtls")
908 }
909
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]910 var resumeCount int
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]911 if test.resumeSession {
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]912 resumeCount++
913 if test.resumeRenewedSession {
914 resumeCount++
915 }
916 }
917
918 if resumeCount > 0 {
919 flags = append(flags, "-resume-count", strconv.Itoa(resumeCount))
David Benjamin5a593af2014-08-11 19:51:50 -0400[diff] [blame]920 }
921
David Benjamine58c4f52014-08-24 03:47:07 -0400[diff] [blame]922 if test.shimWritesFirst {
923 flags = append(flags, "-shim-writes-first")
924 }
925
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]926 if test.shimShutsDown {
927 flags = append(flags, "-shim-shuts-down")
928 }
929
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]930 if test.exportKeyingMaterial > 0 {
931 flags = append(flags, "-export-keying-material", strconv.Itoa(test.exportKeyingMaterial))
932 flags = append(flags, "-export-label", test.exportLabel)
933 flags = append(flags, "-export-context", test.exportContext)
934 if test.useExportContext {
935 flags = append(flags, "-use-export-context")
936 }
937 }
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]938 if test.expectResumeRejected {
939 flags = append(flags, "-expect-session-miss")
940 }
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]941
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]942 if test.testTLSUnique {
943 flags = append(flags, "-tls-unique")
944 }
945
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]946 flags = append(flags, test.flags...)
947
948 var shim *exec.Cmd
949 if *useValgrind {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]950 shim = valgrindOf(false, shimPath, flags...)
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]951 } else if *useGDB {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]952 shim = gdbOf(shimPath, flags...)
David Benjamind16bf342015-12-18 00:53:12 -0500[diff] [blame]953 } else if *useLLDB {
954 shim = lldbOf(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]955 } else {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]956 shim = exec.Command(shimPath, flags...)
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]957 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]958 shim.Stdin = os.Stdin
959 var stdoutBuf, stderrBuf bytes.Buffer
960 shim.Stdout = &stdoutBuf
961 shim.Stderr = &stderrBuf
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]962 if mallocNumToFail >= 0 {
David Benjamin9e128b02015-02-09 13:13:09 -0500[diff] [blame]963 shim.Env = os.Environ()
964 shim.Env = append(shim.Env, "MALLOC_NUMBER_TO_FAIL="+strconv.FormatInt(mallocNumToFail, 10))
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]965 if *mallocTestDebug {
David Benjamin184494d2015-06-12 18:23:47 -0400[diff] [blame]966 shim.Env = append(shim.Env, "MALLOC_BREAK_ON_FAIL=1")
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]967 }
968 shim.Env = append(shim.Env, "_MALLOC_CHECK=1")
969 }
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]970
971 if err := shim.Start(); err != nil {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]972 panic(err)
973 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]974 waitChan := make(chan error, 1)
975 go func() { waitChan <- shim.Wait() }()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]976
977 config := test.config
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]978
David Benjamin7a4aaa42016-09-20 17:58:14 -0400[diff] [blame]979 if *deterministic {
980 config.Rand = &deterministicRand{}
981 }
982
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]983 conn, err := acceptOrWait(listener, waitChan)
984 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]985 err = doExchange(test, &config, conn, false /* not a resumption */, 0)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]986 conn.Close()
987 }
David Benjamin65ea8ff2014-11-23 03:01:00 -0500[diff] [blame]988
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]989 for i := 0; err == nil && i < resumeCount; i++ {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]990 var resumeConfig Config
991 if test.resumeConfig != nil {
992 resumeConfig = *test.resumeConfig
David Benjamine54af062016-08-08 19:21:18 -0400[diff] [blame]993 if !test.newSessionsOnResume {
David Benjaminfe8eb9a2014-11-17 03:19:02 -0500[diff] [blame]994 resumeConfig.SessionTicketKey = config.SessionTicketKey
995 resumeConfig.ClientSessionCache = config.ClientSessionCache
996 resumeConfig.ServerSessionCache = config.ServerSessionCache
997 }
David Benjamin2e045a92016-06-08 13:09:56 -0400[diff] [blame]998 resumeConfig.Rand = config.Rand
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]999 } else {
1000 resumeConfig = config
1001 }
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1002 var connResume net.Conn
1003 connResume, err = acceptOrWait(listener, waitChan)
1004 if err == nil {
David Benjaminc07afb72016-09-22 10:18:58 -0400[diff] [blame]1005 err = doExchange(test, &resumeConfig, connResume, true /* resumption */, i+1)
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1006 connResume.Close()
1007 }
David Benjamin1d5c83e2014-07-22 19:20:02 -0400[diff] [blame]1008 }
1009
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]1010 // Close the listener now. This is to avoid hangs should the shim try to
1011 // open more connections than expected.
1012 listener.Close()
1013 listener = nil
1014
1015 childErr := <-waitChan
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1016 var isValgrindError bool
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1017 if exitError, ok := childErr.(*exec.ExitError); ok {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1018 switch exitError.Sys().(syscall.WaitStatus).ExitStatus() {
1019 case 88:
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1020 return errMoreMallocs
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]1021 case 89:
1022 return errUnimplemented
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1023 case 99:
1024 isValgrindError = true
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]1025 }
1026 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1027
David Benjamin9bea3492016-03-02 10:59:16 -0500[diff] [blame]1028 // Account for Windows line endings.
1029 stdout := strings.Replace(string(stdoutBuf.Bytes()), "\r\n", "\n", -1)
1030 stderr := strings.Replace(string(stderrBuf.Bytes()), "\r\n", "\n", -1)
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1031
1032 // Separate the errors from the shim and those from tools like
1033 // AddressSanitizer.
1034 var extraStderr string
1035 if stderrParts := strings.SplitN(stderr, "--- DONE ---\n", 2); len(stderrParts) == 2 {
1036 stderr = stderrParts[0]
1037 extraStderr = stderrParts[1]
1038 }
1039
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1040 failed := err != nil || childErr != nil
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1041 expectedError := translateExpectedError(test.expectedError)
1042 correctFailure := len(expectedError) == 0 || strings.Contains(stderr, expectedError)
EKR173bf932016-07-29 15:52:49 +0200[diff] [blame]1043
Adam Langleyac61fa32014-06-23 12:03:11 -0700[diff] [blame]1044 localError := "none"
1045 if err != nil {
1046 localError = err.Error()
1047 }
1048 if len(test.expectedLocalError) != 0 {
1049 correctFailure = correctFailure && strings.Contains(localError, test.expectedLocalError)
1050 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1051
1052 if failed != test.shouldFail || failed && !correctFailure {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1053 childError := "none"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1054 if childErr != nil {
1055 childError = childErr.Error()
1056 }
1057
1058 var msg string
1059 switch {
1060 case failed && !test.shouldFail:
1061 msg = "unexpected failure"
1062 case !failed && test.shouldFail:
1063 msg = "unexpected success"
1064 case failed && !correctFailure:
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]1065 msg = "bad error (wanted '" + expectedError + "' / '" + test.expectedLocalError + "')"
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1066 default:
1067 panic("internal error")
1068 }
1069
David Benjamin9aafb642016-09-20 19:36:53 -0400[diff] [blame]1070 return fmt.Errorf("%s: local error '%s', child error '%s', stdout:\n%s\nstderr:\n%s\n%s", msg, localError, childError, stdout, stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1071 }
1072
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1073 if len(extraStderr) > 0 || (!failed && len(stderr) > 0) {
David Benjaminff3a1492016-03-02 10:12:06 -0500[diff] [blame]1074 return fmt.Errorf("unexpected error output:\n%s\n%s", stderr, extraStderr)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1075 }
1076
David Benjamind2ba8892016-09-20 19:41:04 -0400[diff] [blame]1077 if *useValgrind && isValgrindError {
1078 return fmt.Errorf("valgrind error:\n%s\n%s", stderr, extraStderr)
1079 }
1080
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1081 return nil
1082}
1083
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1084type tlsVersion struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1085 name string
1086 version uint16
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]1087 flag string
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1088 hasDTLS bool
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1089}
1090
1091var tlsVersions = []tlsVersion{
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1092 {"SSL3", VersionSSL30, "-no-ssl3", false},
1093 {"TLS1", VersionTLS10, "-no-tls1", true},
1094 {"TLS11", VersionTLS11, "-no-tls11", false},
1095 {"TLS12", VersionTLS12, "-no-tls12", true},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1096 {"TLS13", VersionTLS13, "-no-tls13", false},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1097}
1098
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1099type testCipherSuite struct {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1100 name string
1101 id uint16
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]1102}
1103
1104var testCipherSuites = []testCipherSuite{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1105 {"3DES-SHA", TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1106 {"AES128-GCM", TLS_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1107 {"AES128-SHA", TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1108 {"AES128-SHA256", TLS_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1109 {"AES256-GCM", TLS_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1110 {"AES256-SHA", TLS_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1111 {"AES256-SHA256", TLS_RSA_WITH_AES_256_CBC_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1112 {"ECDHE-ECDSA-AES128-GCM", TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
1113 {"ECDHE-ECDSA-AES128-SHA", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1114 {"ECDHE-ECDSA-AES128-SHA256", TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256},
1115 {"ECDHE-ECDSA-AES256-GCM", TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1116 {"ECDHE-ECDSA-AES256-SHA", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1117 {"ECDHE-ECDSA-AES256-SHA384", TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1118 {"ECDHE-ECDSA-CHACHA20-POLY1305", TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1119 {"ECDHE-RSA-AES128-GCM", TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1120 {"ECDHE-RSA-AES128-SHA", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1121 {"ECDHE-RSA-AES128-SHA256", TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256},
David Benjaminf4e5c4e2014-08-02 17:35:45 -0400[diff] [blame]1122 {"ECDHE-RSA-AES256-GCM", TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1123 {"ECDHE-RSA-AES256-SHA", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA},
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1124 {"ECDHE-RSA-AES256-SHA384", TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1125 {"ECDHE-RSA-CHACHA20-POLY1305", TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]1126 {"PSK-AES128-CBC-SHA", TLS_PSK_WITH_AES_128_CBC_SHA},
1127 {"PSK-AES256-CBC-SHA", TLS_PSK_WITH_AES_256_CBC_SHA},
Adam Langley85bc5602015-06-09 09:54:04 -0700[diff] [blame]1128 {"ECDHE-PSK-AES128-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
1129 {"ECDHE-PSK-AES256-CBC-SHA", TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA},
David Benjamin13414b32015-12-09 23:02:39 -0500[diff] [blame]1130 {"ECDHE-PSK-CHACHA20-POLY1305", TLS_ECDHE_PSK_WITH_CHACHA20_POLY1305_SHA256},
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1131 {"AEAD-CHACHA20-POLY1305", TLS_CHACHA20_POLY1305_SHA256},
1132 {"AEAD-AES128-GCM-SHA256", TLS_AES_128_GCM_SHA256},
1133 {"AEAD-AES256-GCM-SHA384", TLS_AES_256_GCM_SHA384},
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1134 {"NULL-SHA", TLS_RSA_WITH_NULL_SHA},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]1135}
1136
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1137func hasComponent(suiteName, component string) bool {
1138 return strings.Contains("-"+suiteName+"-", "-"+component+"-")
1139}
1140
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1141func isTLS12Only(suiteName string) bool {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1142 return hasComponent(suiteName, "GCM") ||
1143 hasComponent(suiteName, "SHA256") ||
David Benjamine9a80ff2015-04-07 00:46:46 -0400[diff] [blame]1144 hasComponent(suiteName, "SHA384") ||
1145 hasComponent(suiteName, "POLY1305")
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1146}
1147
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1148func isTLS13Suite(suiteName string) bool {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1149 return strings.HasPrefix(suiteName, "AEAD-")
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1150}
1151
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]1152func isDTLSCipher(suiteName string) bool {
Matt Braithwaiteaf096752015-09-02 19:48:16 -0700[diff] [blame]1153 return !hasComponent(suiteName, "RC4") && !hasComponent(suiteName, "NULL")
David Benjaminf7768e42014-08-31 02:06:47 -0400[diff] [blame]1154}
1155
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]1156func bigFromHex(hex string) *big.Int {
1157 ret, ok := new(big.Int).SetString(hex, 16)
1158 if !ok {
1159 panic("failed to parse hex number 0x" + hex)
1160 }
1161 return ret
1162}
1163
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1164func addBasicTests() {
1165 basicTests := []testCase{
1166 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1167 name: "NoFallbackSCSV",
1168 config: Config{
1169 Bugs: ProtocolBugs{
1170 FailIfNotFallbackSCSV: true,
1171 },
1172 },
1173 shouldFail: true,
1174 expectedLocalError: "no fallback SCSV found",
1175 },
1176 {
1177 name: "SendFallbackSCSV",
1178 config: Config{
1179 Bugs: ProtocolBugs{
1180 FailIfNotFallbackSCSV: true,
1181 },
1182 },
1183 flags: []string{"-fallback-scsv"},
1184 },
1185 {
1186 name: "ClientCertificateTypes",
1187 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1188 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1189 ClientAuth: RequestClientCert,
1190 ClientCertificateTypes: []byte{
1191 CertTypeDSSSign,
1192 CertTypeRSASign,
1193 CertTypeECDSASign,
1194 },
1195 },
1196 flags: []string{
1197 "-expect-certificate-types",
1198 base64.StdEncoding.EncodeToString([]byte{
1199 CertTypeDSSSign,
1200 CertTypeRSASign,
1201 CertTypeECDSASign,
1202 }),
1203 },
1204 },
1205 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1206 name: "UnauthenticatedECDH",
1207 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1208 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1209 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1210 Bugs: ProtocolBugs{
1211 UnauthenticatedECDH: true,
1212 },
1213 },
1214 shouldFail: true,
1215 expectedError: ":UNEXPECTED_MESSAGE:",
1216 },
1217 {
1218 name: "SkipCertificateStatus",
1219 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1220 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1221 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1222 Bugs: ProtocolBugs{
1223 SkipCertificateStatus: true,
1224 },
1225 },
1226 flags: []string{
1227 "-enable-ocsp-stapling",
1228 },
1229 },
1230 {
1231 name: "SkipServerKeyExchange",
1232 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1233 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1234 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1235 Bugs: ProtocolBugs{
1236 SkipServerKeyExchange: true,
1237 },
1238 },
1239 shouldFail: true,
1240 expectedError: ":UNEXPECTED_MESSAGE:",
1241 },
1242 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1243 testType: serverTest,
1244 name: "Alert",
1245 config: Config{
1246 Bugs: ProtocolBugs{
1247 SendSpuriousAlert: alertRecordOverflow,
1248 },
1249 },
1250 shouldFail: true,
1251 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1252 },
1253 {
1254 protocol: dtls,
1255 testType: serverTest,
1256 name: "Alert-DTLS",
1257 config: Config{
1258 Bugs: ProtocolBugs{
1259 SendSpuriousAlert: alertRecordOverflow,
1260 },
1261 },
1262 shouldFail: true,
1263 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1264 },
1265 {
1266 testType: serverTest,
1267 name: "FragmentAlert",
1268 config: Config{
1269 Bugs: ProtocolBugs{
1270 FragmentAlert: true,
1271 SendSpuriousAlert: alertRecordOverflow,
1272 },
1273 },
1274 shouldFail: true,
1275 expectedError: ":BAD_ALERT:",
1276 },
1277 {
1278 protocol: dtls,
1279 testType: serverTest,
1280 name: "FragmentAlert-DTLS",
1281 config: Config{
1282 Bugs: ProtocolBugs{
1283 FragmentAlert: true,
1284 SendSpuriousAlert: alertRecordOverflow,
1285 },
1286 },
1287 shouldFail: true,
1288 expectedError: ":BAD_ALERT:",
1289 },
1290 {
1291 testType: serverTest,
David Benjamin0d3a8c62016-03-11 22:25:18 -0500[diff] [blame]1292 name: "DoubleAlert",
1293 config: Config{
1294 Bugs: ProtocolBugs{
1295 DoubleAlert: true,
1296 SendSpuriousAlert: alertRecordOverflow,
1297 },
1298 },
1299 shouldFail: true,
1300 expectedError: ":BAD_ALERT:",
1301 },
1302 {
1303 protocol: dtls,
1304 testType: serverTest,
1305 name: "DoubleAlert-DTLS",
1306 config: Config{
1307 Bugs: ProtocolBugs{
1308 DoubleAlert: true,
1309 SendSpuriousAlert: alertRecordOverflow,
1310 },
1311 },
1312 shouldFail: true,
1313 expectedError: ":BAD_ALERT:",
1314 },
1315 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1316 name: "SkipNewSessionTicket",
1317 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1318 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1319 Bugs: ProtocolBugs{
1320 SkipNewSessionTicket: true,
1321 },
1322 },
1323 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1324 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1325 },
1326 {
1327 testType: serverTest,
1328 name: "FallbackSCSV",
1329 config: Config{
1330 MaxVersion: VersionTLS11,
1331 Bugs: ProtocolBugs{
1332 SendFallbackSCSV: true,
1333 },
1334 },
David Benjamin56cadc32016-12-16 19:54:11 -0500[diff] [blame]1335 shouldFail: true,
1336 expectedError: ":INAPPROPRIATE_FALLBACK:",
1337 expectedLocalError: "remote error: inappropriate fallback",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1338 },
1339 {
1340 testType: serverTest,
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1341 name: "FallbackSCSV-VersionMatch-TLS13",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1342 config: Config{
David Benjaminb442dee2016-12-19 22:15:08 -0500[diff] [blame]1343 MaxVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1344 Bugs: ProtocolBugs{
1345 SendFallbackSCSV: true,
1346 },
1347 },
1348 },
1349 {
1350 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1351 name: "FallbackSCSV-VersionMatch-TLS12",
1352 config: Config{
1353 MaxVersion: VersionTLS12,
1354 Bugs: ProtocolBugs{
1355 SendFallbackSCSV: true,
1356 },
1357 },
1358 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
1359 },
1360 {
1361 testType: serverTest,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1362 name: "FragmentedClientVersion",
1363 config: Config{
1364 Bugs: ProtocolBugs{
1365 MaxHandshakeRecordLength: 1,
1366 FragmentClientVersion: true,
1367 },
1368 },
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1369 expectedVersion: VersionTLS13,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1370 },
1371 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1372 testType: serverTest,
1373 name: "HttpGET",
1374 sendPrefix: "GET / HTTP/1.0\n",
1375 shouldFail: true,
1376 expectedError: ":HTTP_REQUEST:",
1377 },
1378 {
1379 testType: serverTest,
1380 name: "HttpPOST",
1381 sendPrefix: "POST / HTTP/1.0\n",
1382 shouldFail: true,
1383 expectedError: ":HTTP_REQUEST:",
1384 },
1385 {
1386 testType: serverTest,
1387 name: "HttpHEAD",
1388 sendPrefix: "HEAD / HTTP/1.0\n",
1389 shouldFail: true,
1390 expectedError: ":HTTP_REQUEST:",
1391 },
1392 {
1393 testType: serverTest,
1394 name: "HttpPUT",
1395 sendPrefix: "PUT / HTTP/1.0\n",
1396 shouldFail: true,
1397 expectedError: ":HTTP_REQUEST:",
1398 },
1399 {
1400 testType: serverTest,
1401 name: "HttpCONNECT",
1402 sendPrefix: "CONNECT www.google.com:443 HTTP/1.0\n",
1403 shouldFail: true,
1404 expectedError: ":HTTPS_PROXY_REQUEST:",
1405 },
1406 {
1407 testType: serverTest,
1408 name: "Garbage",
1409 sendPrefix: "blah",
1410 shouldFail: true,
David Benjamin97760d52015-07-24 23:02:49 -0400[diff] [blame]1411 expectedError: ":WRONG_VERSION_NUMBER:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1412 },
1413 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1414 name: "RSAEphemeralKey",
1415 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1416 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1417 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
1418 Bugs: ProtocolBugs{
1419 RSAEphemeralKey: true,
1420 },
1421 },
1422 shouldFail: true,
1423 expectedError: ":UNEXPECTED_MESSAGE:",
1424 },
1425 {
1426 name: "DisableEverything",
Steven Valdez4f94b1c2016-05-24 12:31:07 -0400[diff] [blame]1427 flags: []string{"-no-tls13", "-no-tls12", "-no-tls11", "-no-tls1", "-no-ssl3"},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1428 shouldFail: true,
1429 expectedError: ":WRONG_SSL_VERSION:",
1430 },
1431 {
1432 protocol: dtls,
1433 name: "DisableEverything-DTLS",
1434 flags: []string{"-no-tls12", "-no-tls1"},
1435 shouldFail: true,
1436 expectedError: ":WRONG_SSL_VERSION:",
1437 },
1438 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1439 protocol: dtls,
1440 testType: serverTest,
1441 name: "MTU",
1442 config: Config{
1443 Bugs: ProtocolBugs{
1444 MaxPacketLength: 256,
1445 },
1446 },
1447 flags: []string{"-mtu", "256"},
1448 },
1449 {
1450 protocol: dtls,
1451 testType: serverTest,
1452 name: "MTUExceeded",
1453 config: Config{
1454 Bugs: ProtocolBugs{
1455 MaxPacketLength: 255,
1456 },
1457 },
1458 flags: []string{"-mtu", "256"},
1459 shouldFail: true,
1460 expectedLocalError: "dtls: exceeded maximum packet length",
1461 },
1462 {
1463 name: "CertMismatchRSA",
1464 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1465 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1466 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1467 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1468 Bugs: ProtocolBugs{
1469 SendCipherSuite: TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
1470 },
1471 },
1472 shouldFail: true,
1473 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1474 },
1475 {
1476 name: "CertMismatchECDSA",
1477 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1478 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1479 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]1480 Certificates: []Certificate{rsaCertificate},
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1481 Bugs: ProtocolBugs{
1482 SendCipherSuite: TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
1483 },
1484 },
1485 shouldFail: true,
1486 expectedError: ":WRONG_CERTIFICATE_TYPE:",
1487 },
1488 {
1489 name: "EmptyCertificateList",
1490 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1491 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1492 Bugs: ProtocolBugs{
1493 EmptyCertificateList: true,
1494 },
1495 },
1496 shouldFail: true,
1497 expectedError: ":DECODE_ERROR:",
1498 },
1499 {
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1500 name: "EmptyCertificateList-TLS13",
1501 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]1502 MaxVersion: VersionTLS13,
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1503 Bugs: ProtocolBugs{
1504 EmptyCertificateList: true,
1505 },
1506 },
1507 shouldFail: true,
David Benjamin4087df92016-08-01 20:16:31 -0400[diff] [blame]1508 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
David Benjamin9ec1c752016-07-14 12:45:01 -0400[diff] [blame]1509 },
1510 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1511 name: "TLSFatalBadPackets",
1512 damageFirstWrite: true,
1513 shouldFail: true,
1514 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
1515 },
1516 {
1517 protocol: dtls,
1518 name: "DTLSIgnoreBadPackets",
1519 damageFirstWrite: true,
1520 },
1521 {
1522 protocol: dtls,
1523 name: "DTLSIgnoreBadPackets-Async",
1524 damageFirstWrite: true,
1525 flags: []string{"-async"},
1526 },
1527 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1528 name: "AppDataBeforeHandshake",
1529 config: Config{
1530 Bugs: ProtocolBugs{
1531 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1532 },
1533 },
1534 shouldFail: true,
1535 expectedError: ":UNEXPECTED_RECORD:",
1536 },
1537 {
1538 name: "AppDataBeforeHandshake-Empty",
1539 config: Config{
1540 Bugs: ProtocolBugs{
1541 AppDataBeforeHandshake: []byte{},
1542 },
1543 },
1544 shouldFail: true,
1545 expectedError: ":UNEXPECTED_RECORD:",
1546 },
1547 {
1548 protocol: dtls,
1549 name: "AppDataBeforeHandshake-DTLS",
1550 config: Config{
1551 Bugs: ProtocolBugs{
1552 AppDataBeforeHandshake: []byte("TEST MESSAGE"),
1553 },
1554 },
1555 shouldFail: true,
1556 expectedError: ":UNEXPECTED_RECORD:",
1557 },
1558 {
1559 protocol: dtls,
1560 name: "AppDataBeforeHandshake-DTLS-Empty",
1561 config: Config{
1562 Bugs: ProtocolBugs{
1563 AppDataBeforeHandshake: []byte{},
1564 },
1565 },
1566 shouldFail: true,
1567 expectedError: ":UNEXPECTED_RECORD:",
1568 },
1569 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1570 name: "AppDataAfterChangeCipherSpec",
1571 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1572 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1573 Bugs: ProtocolBugs{
1574 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1575 },
1576 },
1577 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1578 expectedError: ":UNEXPECTED_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1579 },
1580 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1581 name: "AppDataAfterChangeCipherSpec-Empty",
1582 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1583 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1584 Bugs: ProtocolBugs{
1585 AppDataAfterChangeCipherSpec: []byte{},
1586 },
1587 },
1588 shouldFail: true,
David Benjamina41280d2015-11-26 02:16:49 -0500[diff] [blame]1589 expectedError: ":UNEXPECTED_RECORD:",
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1590 },
1591 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1592 protocol: dtls,
1593 name: "AppDataAfterChangeCipherSpec-DTLS",
1594 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1595 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1596 Bugs: ProtocolBugs{
1597 AppDataAfterChangeCipherSpec: []byte("TEST MESSAGE"),
1598 },
1599 },
1600 // BoringSSL's DTLS implementation will drop the out-of-order
1601 // application data.
1602 },
1603 {
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1604 protocol: dtls,
1605 name: "AppDataAfterChangeCipherSpec-DTLS-Empty",
1606 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1607 MaxVersion: VersionTLS12,
David Benjamin4cf369b2015-08-22 01:35:43 -0400[diff] [blame]1608 Bugs: ProtocolBugs{
1609 AppDataAfterChangeCipherSpec: []byte{},
1610 },
1611 },
1612 // BoringSSL's DTLS implementation will drop the out-of-order
1613 // application data.
1614 },
1615 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1616 name: "AlertAfterChangeCipherSpec",
1617 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1618 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1619 Bugs: ProtocolBugs{
1620 AlertAfterChangeCipherSpec: alertRecordOverflow,
1621 },
1622 },
1623 shouldFail: true,
1624 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1625 },
1626 {
1627 protocol: dtls,
1628 name: "AlertAfterChangeCipherSpec-DTLS",
1629 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1630 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1631 Bugs: ProtocolBugs{
1632 AlertAfterChangeCipherSpec: alertRecordOverflow,
1633 },
1634 },
1635 shouldFail: true,
1636 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
1637 },
1638 {
1639 protocol: dtls,
1640 name: "ReorderHandshakeFragments-Small-DTLS",
1641 config: Config{
1642 Bugs: ProtocolBugs{
1643 ReorderHandshakeFragments: true,
1644 // Small enough that every handshake message is
1645 // fragmented.
1646 MaxHandshakeRecordLength: 2,
1647 },
1648 },
1649 },
1650 {
1651 protocol: dtls,
1652 name: "ReorderHandshakeFragments-Large-DTLS",
1653 config: Config{
1654 Bugs: ProtocolBugs{
1655 ReorderHandshakeFragments: true,
1656 // Large enough that no handshake message is
1657 // fragmented.
1658 MaxHandshakeRecordLength: 2048,
1659 },
1660 },
1661 },
1662 {
1663 protocol: dtls,
1664 name: "MixCompleteMessageWithFragments-DTLS",
1665 config: Config{
1666 Bugs: ProtocolBugs{
1667 ReorderHandshakeFragments: true,
1668 MixCompleteMessageWithFragments: true,
1669 MaxHandshakeRecordLength: 2,
1670 },
1671 },
1672 },
1673 {
1674 name: "SendInvalidRecordType",
1675 config: Config{
1676 Bugs: ProtocolBugs{
1677 SendInvalidRecordType: true,
1678 },
1679 },
1680 shouldFail: true,
1681 expectedError: ":UNEXPECTED_RECORD:",
1682 },
1683 {
1684 protocol: dtls,
1685 name: "SendInvalidRecordType-DTLS",
1686 config: Config{
1687 Bugs: ProtocolBugs{
1688 SendInvalidRecordType: true,
1689 },
1690 },
1691 shouldFail: true,
1692 expectedError: ":UNEXPECTED_RECORD:",
1693 },
1694 {
1695 name: "FalseStart-SkipServerSecondLeg",
1696 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1697 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1698 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1699 NextProtos: []string{"foo"},
1700 Bugs: ProtocolBugs{
1701 SkipNewSessionTicket: true,
1702 SkipChangeCipherSpec: true,
1703 SkipFinished: true,
1704 ExpectFalseStart: true,
1705 },
1706 },
1707 flags: []string{
1708 "-false-start",
1709 "-handshake-never-done",
1710 "-advertise-alpn", "\x03foo",
1711 },
1712 shimWritesFirst: true,
1713 shouldFail: true,
1714 expectedError: ":UNEXPECTED_RECORD:",
1715 },
1716 {
1717 name: "FalseStart-SkipServerSecondLeg-Implicit",
1718 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1719 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1720 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1721 NextProtos: []string{"foo"},
1722 Bugs: ProtocolBugs{
1723 SkipNewSessionTicket: true,
1724 SkipChangeCipherSpec: true,
1725 SkipFinished: true,
1726 },
1727 },
1728 flags: []string{
1729 "-implicit-handshake",
1730 "-false-start",
1731 "-handshake-never-done",
1732 "-advertise-alpn", "\x03foo",
1733 },
1734 shouldFail: true,
1735 expectedError: ":UNEXPECTED_RECORD:",
1736 },
1737 {
1738 testType: serverTest,
1739 name: "FailEarlyCallback",
1740 flags: []string{"-fail-early-callback"},
1741 shouldFail: true,
1742 expectedError: ":CONNECTION_REJECTED:",
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]1743 expectedLocalError: "remote error: handshake failure",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1744 },
1745 {
David Benjaminb8d74f52016-11-14 22:02:50 +0900[diff] [blame]1746 name: "FailCertCallback-Client-TLS12",
1747 config: Config{
1748 MaxVersion: VersionTLS12,
1749 ClientAuth: RequestClientCert,
1750 },
1751 flags: []string{"-fail-cert-callback"},
1752 shouldFail: true,
1753 expectedError: ":CERT_CB_ERROR:",
1754 expectedLocalError: "remote error: internal error",
1755 },
1756 {
1757 testType: serverTest,
1758 name: "FailCertCallback-Server-TLS12",
1759 config: Config{
1760 MaxVersion: VersionTLS12,
1761 },
1762 flags: []string{"-fail-cert-callback"},
1763 shouldFail: true,
1764 expectedError: ":CERT_CB_ERROR:",
1765 expectedLocalError: "remote error: internal error",
1766 },
1767 {
1768 name: "FailCertCallback-Client-TLS13",
1769 config: Config{
1770 MaxVersion: VersionTLS13,
1771 ClientAuth: RequestClientCert,
1772 },
1773 flags: []string{"-fail-cert-callback"},
1774 shouldFail: true,
1775 expectedError: ":CERT_CB_ERROR:",
1776 expectedLocalError: "remote error: internal error",
1777 },
1778 {
1779 testType: serverTest,
1780 name: "FailCertCallback-Server-TLS13",
1781 config: Config{
1782 MaxVersion: VersionTLS13,
1783 },
1784 flags: []string{"-fail-cert-callback"},
1785 shouldFail: true,
1786 expectedError: ":CERT_CB_ERROR:",
1787 expectedLocalError: "remote error: internal error",
1788 },
1789 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1790 protocol: dtls,
1791 name: "FragmentMessageTypeMismatch-DTLS",
1792 config: Config{
1793 Bugs: ProtocolBugs{
1794 MaxHandshakeRecordLength: 2,
1795 FragmentMessageTypeMismatch: true,
1796 },
1797 },
1798 shouldFail: true,
1799 expectedError: ":FRAGMENT_MISMATCH:",
1800 },
1801 {
1802 protocol: dtls,
1803 name: "FragmentMessageLengthMismatch-DTLS",
1804 config: Config{
1805 Bugs: ProtocolBugs{
1806 MaxHandshakeRecordLength: 2,
1807 FragmentMessageLengthMismatch: true,
1808 },
1809 },
1810 shouldFail: true,
1811 expectedError: ":FRAGMENT_MISMATCH:",
1812 },
1813 {
1814 protocol: dtls,
1815 name: "SplitFragments-Header-DTLS",
1816 config: Config{
1817 Bugs: ProtocolBugs{
1818 SplitFragments: 2,
1819 },
1820 },
1821 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1822 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1823 },
1824 {
1825 protocol: dtls,
1826 name: "SplitFragments-Boundary-DTLS",
1827 config: Config{
1828 Bugs: ProtocolBugs{
1829 SplitFragments: dtlsRecordHeaderLen,
1830 },
1831 },
1832 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1833 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1834 },
1835 {
1836 protocol: dtls,
1837 name: "SplitFragments-Body-DTLS",
1838 config: Config{
1839 Bugs: ProtocolBugs{
1840 SplitFragments: dtlsRecordHeaderLen + 1,
1841 },
1842 },
1843 shouldFail: true,
David Benjaminc6604172016-06-02 16:38:35 -0400[diff] [blame]1844 expectedError: ":BAD_HANDSHAKE_RECORD:",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1845 },
1846 {
1847 protocol: dtls,
1848 name: "SendEmptyFragments-DTLS",
1849 config: Config{
1850 Bugs: ProtocolBugs{
1851 SendEmptyFragments: true,
1852 },
1853 },
1854 },
1855 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1856 name: "BadFinished-Client",
1857 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1858 MaxVersion: VersionTLS12,
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1859 Bugs: ProtocolBugs{
1860 BadFinished: true,
1861 },
1862 },
1863 shouldFail: true,
1864 expectedError: ":DIGEST_CHECK_FAILED:",
1865 },
1866 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1867 name: "BadFinished-Client-TLS13",
1868 config: Config{
1869 MaxVersion: VersionTLS13,
1870 Bugs: ProtocolBugs{
1871 BadFinished: true,
1872 },
1873 },
1874 shouldFail: true,
1875 expectedError: ":DIGEST_CHECK_FAILED:",
1876 },
1877 {
David Benjaminbf82aed2016-03-01 22:57:40 -0500[diff] [blame]1878 testType: serverTest,
1879 name: "BadFinished-Server",
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1880 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]1881 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1882 Bugs: ProtocolBugs{
1883 BadFinished: true,
1884 },
1885 },
1886 shouldFail: true,
1887 expectedError: ":DIGEST_CHECK_FAILED:",
1888 },
1889 {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]1890 testType: serverTest,
1891 name: "BadFinished-Server-TLS13",
1892 config: Config{
1893 MaxVersion: VersionTLS13,
1894 Bugs: ProtocolBugs{
1895 BadFinished: true,
1896 },
1897 },
1898 shouldFail: true,
1899 expectedError: ":DIGEST_CHECK_FAILED:",
1900 },
1901 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1902 name: "FalseStart-BadFinished",
1903 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1904 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1905 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1906 NextProtos: []string{"foo"},
1907 Bugs: ProtocolBugs{
1908 BadFinished: true,
1909 ExpectFalseStart: true,
1910 },
1911 },
1912 flags: []string{
1913 "-false-start",
1914 "-handshake-never-done",
1915 "-advertise-alpn", "\x03foo",
1916 },
1917 shimWritesFirst: true,
1918 shouldFail: true,
1919 expectedError: ":DIGEST_CHECK_FAILED:",
1920 },
1921 {
1922 name: "NoFalseStart-NoALPN",
1923 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1924 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1925 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
1926 Bugs: ProtocolBugs{
1927 ExpectFalseStart: true,
1928 AlertBeforeFalseStartTest: alertAccessDenied,
1929 },
1930 },
1931 flags: []string{
1932 "-false-start",
1933 },
1934 shimWritesFirst: true,
1935 shouldFail: true,
1936 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1937 expectedLocalError: "tls: peer did not false start: EOF",
1938 },
1939 {
1940 name: "NoFalseStart-NoAEAD",
1941 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1942 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1943 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
1944 NextProtos: []string{"foo"},
1945 Bugs: ProtocolBugs{
1946 ExpectFalseStart: true,
1947 AlertBeforeFalseStartTest: alertAccessDenied,
1948 },
1949 },
1950 flags: []string{
1951 "-false-start",
1952 "-advertise-alpn", "\x03foo",
1953 },
1954 shimWritesFirst: true,
1955 shouldFail: true,
1956 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1957 expectedLocalError: "tls: peer did not false start: EOF",
1958 },
1959 {
1960 name: "NoFalseStart-RSA",
1961 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]1962 MaxVersion: VersionTLS12,
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1963 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
1964 NextProtos: []string{"foo"},
1965 Bugs: ProtocolBugs{
1966 ExpectFalseStart: true,
1967 AlertBeforeFalseStartTest: alertAccessDenied,
1968 },
1969 },
1970 flags: []string{
1971 "-false-start",
1972 "-advertise-alpn", "\x03foo",
1973 },
1974 shimWritesFirst: true,
1975 shouldFail: true,
1976 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
1977 expectedLocalError: "tls: peer did not false start: EOF",
1978 },
1979 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]1980 protocol: dtls,
1981 name: "SendSplitAlert-Sync",
1982 config: Config{
1983 Bugs: ProtocolBugs{
1984 SendSplitAlert: true,
1985 },
1986 },
1987 },
1988 {
1989 protocol: dtls,
1990 name: "SendSplitAlert-Async",
1991 config: Config{
1992 Bugs: ProtocolBugs{
1993 SendSplitAlert: true,
1994 },
1995 },
1996 flags: []string{"-async"},
1997 },
1998 {
1999 protocol: dtls,
2000 name: "PackDTLSHandshake",
2001 config: Config{
2002 Bugs: ProtocolBugs{
2003 MaxHandshakeRecordLength: 2,
2004 PackHandshakeFragments: 20,
2005 PackHandshakeRecords: 200,
2006 },
2007 },
2008 },
2009 {
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2010 name: "SendEmptyRecords-Pass",
2011 sendEmptyRecords: 32,
2012 },
2013 {
2014 name: "SendEmptyRecords",
2015 sendEmptyRecords: 33,
2016 shouldFail: true,
2017 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2018 },
2019 {
2020 name: "SendEmptyRecords-Async",
2021 sendEmptyRecords: 33,
2022 flags: []string{"-async"},
2023 shouldFail: true,
2024 expectedError: ":TOO_MANY_EMPTY_FRAGMENTS:",
2025 },
2026 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2027 name: "SendWarningAlerts-Pass",
2028 config: Config{
2029 MaxVersion: VersionTLS12,
2030 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2031 sendWarningAlerts: 4,
2032 },
2033 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2034 protocol: dtls,
2035 name: "SendWarningAlerts-DTLS-Pass",
2036 config: Config{
2037 MaxVersion: VersionTLS12,
2038 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2039 sendWarningAlerts: 4,
2040 },
2041 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2042 name: "SendWarningAlerts-TLS13",
2043 config: Config{
2044 MaxVersion: VersionTLS13,
2045 },
2046 sendWarningAlerts: 4,
2047 shouldFail: true,
2048 expectedError: ":BAD_ALERT:",
2049 expectedLocalError: "remote error: error decoding message",
2050 },
2051 {
2052 name: "SendWarningAlerts",
2053 config: Config{
2054 MaxVersion: VersionTLS12,
2055 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2056 sendWarningAlerts: 5,
2057 shouldFail: true,
2058 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2059 },
2060 {
David Benjamine8e84b92016-08-03 15:39:47 -0400[diff] [blame]2061 name: "SendWarningAlerts-Async",
2062 config: Config{
2063 MaxVersion: VersionTLS12,
2064 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2065 sendWarningAlerts: 5,
2066 flags: []string{"-async"},
2067 shouldFail: true,
2068 expectedError: ":TOO_MANY_WARNING_ALERTS:",
2069 },
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2070 {
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2071 name: "TooManyKeyUpdates",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2072 config: Config{
2073 MaxVersion: VersionTLS13,
2074 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2075 sendKeyUpdates: 33,
2076 keyUpdateRequest: keyUpdateNotRequested,
2077 shouldFail: true,
2078 expectedError: ":TOO_MANY_KEY_UPDATES:",
Steven Valdez32635b82016-08-16 11:25:03 -0400[diff] [blame]2079 },
2080 {
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2081 name: "EmptySessionID",
2082 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2083 MaxVersion: VersionTLS12,
David Benjaminba4594a2015-06-18 18:36:15 -0400[diff] [blame]2084 SessionTicketsDisabled: true,
2085 },
2086 noSessionCache: true,
2087 flags: []string{"-expect-no-session"},
2088 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]2089 {
2090 name: "Unclean-Shutdown",
2091 config: Config{
2092 Bugs: ProtocolBugs{
2093 NoCloseNotify: true,
2094 ExpectCloseNotify: true,
2095 },
2096 },
2097 shimShutsDown: true,
2098 flags: []string{"-check-close-notify"},
2099 shouldFail: true,
2100 expectedError: "Unexpected SSL_shutdown result: -1 != 1",
2101 },
2102 {
2103 name: "Unclean-Shutdown-Ignored",
2104 config: Config{
2105 Bugs: ProtocolBugs{
2106 NoCloseNotify: true,
2107 },
2108 },
2109 shimShutsDown: true,
2110 },
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2111 {
David Benjaminfa214e42016-05-10 17:03:10 -0400[diff] [blame]2112 name: "Unclean-Shutdown-Alert",
2113 config: Config{
2114 Bugs: ProtocolBugs{
2115 SendAlertOnShutdown: alertDecompressionFailure,
2116 ExpectCloseNotify: true,
2117 },
2118 },
2119 shimShutsDown: true,
2120 flags: []string{"-check-close-notify"},
2121 shouldFail: true,
2122 expectedError: ":SSLV3_ALERT_DECOMPRESSION_FAILURE:",
2123 },
2124 {
David Benjamin4f75aaf2015-09-01 16:53:10 -0400[diff] [blame]2125 name: "LargePlaintext",
2126 config: Config{
2127 Bugs: ProtocolBugs{
2128 SendLargeRecords: true,
2129 },
2130 },
2131 messageLen: maxPlaintext + 1,
2132 shouldFail: true,
2133 expectedError: ":DATA_LENGTH_TOO_LONG:",
2134 },
2135 {
2136 protocol: dtls,
2137 name: "LargePlaintext-DTLS",
2138 config: Config{
2139 Bugs: ProtocolBugs{
2140 SendLargeRecords: true,
2141 },
2142 },
2143 messageLen: maxPlaintext + 1,
2144 shouldFail: true,
2145 expectedError: ":DATA_LENGTH_TOO_LONG:",
2146 },
2147 {
2148 name: "LargeCiphertext",
2149 config: Config{
2150 Bugs: ProtocolBugs{
2151 SendLargeRecords: true,
2152 },
2153 },
2154 messageLen: maxPlaintext * 2,
2155 shouldFail: true,
2156 expectedError: ":ENCRYPTED_LENGTH_TOO_LONG:",
2157 },
2158 {
2159 protocol: dtls,
2160 name: "LargeCiphertext-DTLS",
2161 config: Config{
2162 Bugs: ProtocolBugs{
2163 SendLargeRecords: true,
2164 },
2165 },
2166 messageLen: maxPlaintext * 2,
2167 // Unlike the other four cases, DTLS drops records which
2168 // are invalid before authentication, so the connection
2169 // does not fail.
2170 expectMessageDropped: true,
2171 },
David Benjamindd6fed92015-10-23 17:41:12 -0400[diff] [blame]2172 {
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2173 name: "BadHelloRequest-1",
2174 renegotiate: 1,
2175 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2176 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2177 Bugs: ProtocolBugs{
2178 BadHelloRequest: []byte{typeHelloRequest, 0, 0, 1, 1},
2179 },
2180 },
2181 flags: []string{
2182 "-renegotiate-freely",
2183 "-expect-total-renegotiations", "1",
2184 },
2185 shouldFail: true,
David Benjamin163f29a2016-07-28 11:05:58 -0400[diff] [blame]2186 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2187 },
2188 {
2189 name: "BadHelloRequest-2",
2190 renegotiate: 1,
2191 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2192 MaxVersion: VersionTLS12,
David Benjaminef5dfd22015-12-06 13:17:07 -0500[diff] [blame]2193 Bugs: ProtocolBugs{
2194 BadHelloRequest: []byte{typeServerKeyExchange, 0, 0, 0},
2195 },
2196 },
2197 flags: []string{
2198 "-renegotiate-freely",
2199 "-expect-total-renegotiations", "1",
2200 },
2201 shouldFail: true,
2202 expectedError: ":BAD_HELLO_REQUEST:",
2203 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2204 {
2205 testType: serverTest,
2206 name: "SupportTicketsWithSessionID",
2207 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2208 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2209 SessionTicketsDisabled: true,
2210 },
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2211 resumeConfig: &Config{
2212 MaxVersion: VersionTLS12,
2213 },
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]2214 resumeSession: true,
2215 },
David Benjamin02edcd02016-07-27 17:40:37 -0400[diff] [blame]2216 {
2217 protocol: dtls,
2218 name: "DTLS-SendExtraFinished",
2219 config: Config{
2220 Bugs: ProtocolBugs{
2221 SendExtraFinished: true,
2222 },
2223 },
2224 shouldFail: true,
2225 expectedError: ":UNEXPECTED_RECORD:",
2226 },
2227 {
2228 protocol: dtls,
2229 name: "DTLS-SendExtraFinished-Reordered",
2230 config: Config{
2231 Bugs: ProtocolBugs{
2232 MaxHandshakeRecordLength: 2,
2233 ReorderHandshakeFragments: true,
2234 SendExtraFinished: true,
2235 },
2236 },
2237 shouldFail: true,
2238 expectedError: ":UNEXPECTED_RECORD:",
2239 },
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2240 {
2241 testType: serverTest,
2242 name: "V2ClientHello-EmptyRecordPrefix",
2243 config: Config{
2244 // Choose a cipher suite that does not involve
2245 // elliptic curves, so no extensions are
2246 // involved.
2247 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2248 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2249 Bugs: ProtocolBugs{
2250 SendV2ClientHello: true,
2251 },
2252 },
2253 sendPrefix: string([]byte{
2254 byte(recordTypeHandshake),
2255 3, 1, // version
2256 0, 0, // length
2257 }),
2258 // A no-op empty record may not be sent before V2ClientHello.
2259 shouldFail: true,
2260 expectedError: ":WRONG_VERSION_NUMBER:",
2261 },
2262 {
2263 testType: serverTest,
2264 name: "V2ClientHello-WarningAlertPrefix",
2265 config: Config{
2266 // Choose a cipher suite that does not involve
2267 // elliptic curves, so no extensions are
2268 // involved.
2269 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]2270 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamine97fb482016-07-29 09:23:07 -0400[diff] [blame]2271 Bugs: ProtocolBugs{
2272 SendV2ClientHello: true,
2273 },
2274 },
2275 sendPrefix: string([]byte{
2276 byte(recordTypeAlert),
2277 3, 1, // version
2278 0, 2, // length
2279 alertLevelWarning, byte(alertDecompressionFailure),
2280 }),
2281 // A no-op warning alert may not be sent before V2ClientHello.
2282 shouldFail: true,
2283 expectedError: ":WRONG_VERSION_NUMBER:",
2284 },
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2285 {
David Benjamin7ebe61a2017-02-10 13:14:01 -0500[diff] [blame]2286 name: "KeyUpdate-Client",
2287 config: Config{
2288 MaxVersion: VersionTLS13,
2289 },
2290 sendKeyUpdates: 1,
2291 keyUpdateRequest: keyUpdateNotRequested,
2292 },
2293 {
2294 testType: serverTest,
2295 name: "KeyUpdate-Server",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2296 config: Config{
2297 MaxVersion: VersionTLS13,
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2298 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]2299 sendKeyUpdates: 1,
2300 keyUpdateRequest: keyUpdateNotRequested,
2301 },
2302 {
2303 name: "KeyUpdate-InvalidRequestMode",
2304 config: Config{
2305 MaxVersion: VersionTLS13,
2306 },
2307 sendKeyUpdates: 1,
2308 keyUpdateRequest: 42,
2309 shouldFail: true,
2310 expectedError: ":DECODE_ERROR:",
Steven Valdez1dc53d22016-07-26 12:27:38 -0400[diff] [blame]2311 },
David Benjaminabe94e32016-09-04 14:18:58 -0400[diff] [blame]2312 {
2313 name: "SendSNIWarningAlert",
2314 config: Config{
2315 MaxVersion: VersionTLS12,
2316 Bugs: ProtocolBugs{
2317 SendSNIWarningAlert: true,
2318 },
2319 },
2320 },
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2321 {
2322 testType: serverTest,
2323 name: "ExtraCompressionMethods-TLS12",
2324 config: Config{
2325 MaxVersion: VersionTLS12,
2326 Bugs: ProtocolBugs{
2327 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2328 },
2329 },
2330 },
2331 {
2332 testType: serverTest,
2333 name: "ExtraCompressionMethods-TLS13",
2334 config: Config{
2335 MaxVersion: VersionTLS13,
2336 Bugs: ProtocolBugs{
2337 SendCompressionMethods: []byte{1, 2, 3, compressionNone, 4, 5, 6},
2338 },
2339 },
2340 shouldFail: true,
2341 expectedError: ":INVALID_COMPRESSION_LIST:",
2342 expectedLocalError: "remote error: illegal parameter",
2343 },
2344 {
2345 testType: serverTest,
2346 name: "NoNullCompression-TLS12",
2347 config: Config{
2348 MaxVersion: VersionTLS12,
2349 Bugs: ProtocolBugs{
2350 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2351 },
2352 },
2353 shouldFail: true,
David Benjamindaa05392017-02-02 23:33:21 -0500[diff] [blame]2354 expectedError: ":INVALID_COMPRESSION_LIST:",
David Benjaminc241d792016-09-09 10:34:20 -0400[diff] [blame]2355 expectedLocalError: "remote error: illegal parameter",
2356 },
2357 {
2358 testType: serverTest,
2359 name: "NoNullCompression-TLS13",
2360 config: Config{
2361 MaxVersion: VersionTLS13,
2362 Bugs: ProtocolBugs{
2363 SendCompressionMethods: []byte{1, 2, 3, 4, 5, 6},
2364 },
2365 },
2366 shouldFail: true,
2367 expectedError: ":INVALID_COMPRESSION_LIST:",
2368 expectedLocalError: "remote error: illegal parameter",
2369 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2370 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2371 name: "GREASE-Client-TLS12",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2372 config: Config{
2373 MaxVersion: VersionTLS12,
2374 Bugs: ProtocolBugs{
2375 ExpectGREASE: true,
2376 },
2377 },
2378 flags: []string{"-enable-grease"},
2379 },
2380 {
David Benjamin1a5e8ec2016-10-07 15:19:18 -0400[diff] [blame]2381 name: "GREASE-Client-TLS13",
2382 config: Config{
2383 MaxVersion: VersionTLS13,
2384 Bugs: ProtocolBugs{
2385 ExpectGREASE: true,
2386 },
2387 },
2388 flags: []string{"-enable-grease"},
2389 },
2390 {
2391 testType: serverTest,
2392 name: "GREASE-Server-TLS13",
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2393 config: Config{
2394 MaxVersion: VersionTLS13,
2395 Bugs: ProtocolBugs{
David Benjamin079b3942016-10-20 13:19:20 -0400[diff] [blame]2396 // TLS 1.3 servers are expected to
2397 // always enable GREASE. TLS 1.3 is new,
2398 // so there is no existing ecosystem to
2399 // worry about.
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2400 ExpectGREASE: true,
2401 },
2402 },
David Benjamin65ac9972016-09-02 21:35:25 -0400[diff] [blame]2403 },
David Benjamine3fbb362017-01-06 16:19:28 -0500[diff] [blame]2404 {
2405 // Test the server so there is a large certificate as
2406 // well as application data.
2407 testType: serverTest,
2408 name: "MaxSendFragment",
2409 config: Config{
2410 Bugs: ProtocolBugs{
2411 MaxReceivePlaintext: 512,
2412 },
2413 },
2414 messageLen: 1024,
2415 flags: []string{
2416 "-max-send-fragment", "512",
2417 "-read-size", "1024",
2418 },
2419 },
2420 {
2421 // Test the server so there is a large certificate as
2422 // well as application data.
2423 testType: serverTest,
2424 name: "MaxSendFragment-TooLarge",
2425 config: Config{
2426 Bugs: ProtocolBugs{
2427 // Ensure that some of the records are
2428 // 512.
2429 MaxReceivePlaintext: 511,
2430 },
2431 },
2432 messageLen: 1024,
2433 flags: []string{
2434 "-max-send-fragment", "512",
2435 "-read-size", "1024",
2436 },
2437 shouldFail: true,
2438 expectedLocalError: "local error: record overflow",
2439 },
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2440 }
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2441 testCases = append(testCases, basicTests...)
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2442
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2443 if *includeDHE {
2444 testCases = append(testCases, testCase{
2445 name: "NoFalseStart-DHE_RSA",
2446 config: Config{
2447 MaxVersion: VersionTLS12,
2448 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2449 NextProtos: []string{"foo"},
2450 Bugs: ProtocolBugs{
2451 ExpectFalseStart: true,
2452 AlertBeforeFalseStartTest: alertAccessDenied,
2453 },
2454 },
2455 flags: []string{
2456 "-false-start",
2457 "-advertise-alpn", "\x03foo",
2458 },
2459 shimWritesFirst: true,
2460 shouldFail: true,
2461 expectedError: ":TLSV1_ALERT_ACCESS_DENIED:",
2462 expectedLocalError: "tls: peer did not false start: EOF",
2463 })
2464 }
2465
David Benjamina252b342016-09-26 19:57:53 -0400[diff] [blame]2466 // Test that very large messages can be received.
2467 cert := rsaCertificate
2468 for i := 0; i < 50; i++ {
2469 cert.Certificate = append(cert.Certificate, cert.Certificate[0])
2470 }
2471 testCases = append(testCases, testCase{
2472 name: "LargeMessage",
2473 config: Config{
2474 Certificates: []Certificate{cert},
2475 },
2476 })
2477 testCases = append(testCases, testCase{
2478 protocol: dtls,
2479 name: "LargeMessage-DTLS",
2480 config: Config{
2481 Certificates: []Certificate{cert},
2482 },
2483 })
2484
2485 // They are rejected if the maximum certificate chain length is capped.
2486 testCases = append(testCases, testCase{
2487 name: "LargeMessage-Reject",
2488 config: Config{
2489 Certificates: []Certificate{cert},
2490 },
2491 flags: []string{"-max-cert-list", "16384"},
2492 shouldFail: true,
2493 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2494 })
2495 testCases = append(testCases, testCase{
2496 protocol: dtls,
2497 name: "LargeMessage-Reject-DTLS",
2498 config: Config{
2499 Certificates: []Certificate{cert},
2500 },
2501 flags: []string{"-max-cert-list", "16384"},
2502 shouldFail: true,
2503 expectedError: ":EXCESSIVE_MESSAGE_SIZE:",
2504 })
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2505}
2506
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2507func addTestForCipherSuite(suite testCipherSuite, ver tlsVersion, protocol protocol) {
2508 const psk = "12345"
2509 const pskIdentity = "luggage combo"
2510
2511 var prefix string
2512 if protocol == dtls {
2513 if !ver.hasDTLS {
2514 return
2515 }
2516 prefix = "D"
2517 }
2518
2519 var cert Certificate
2520 var certFile string
2521 var keyFile string
2522 if hasComponent(suite.name, "ECDSA") {
2523 cert = ecdsaP256Certificate
2524 certFile = ecdsaP256CertificateFile
2525 keyFile = ecdsaP256KeyFile
2526 } else {
2527 cert = rsaCertificate
2528 certFile = rsaCertificateFile
2529 keyFile = rsaKeyFile
2530 }
2531
2532 var flags []string
2533 if hasComponent(suite.name, "PSK") {
2534 flags = append(flags,
2535 "-psk", psk,
2536 "-psk-identity", pskIdentity)
2537 }
2538 if hasComponent(suite.name, "NULL") {
2539 // NULL ciphers must be explicitly enabled.
2540 flags = append(flags, "-cipher", "DEFAULT:NULL-SHA")
2541 }
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2542
2543 var shouldServerFail, shouldClientFail bool
2544 if hasComponent(suite.name, "ECDHE") && ver.version == VersionSSL30 {
2545 // BoringSSL clients accept ECDHE on SSLv3, but
2546 // a BoringSSL server will never select it
2547 // because the extension is missing.
2548 shouldServerFail = true
2549 }
2550 if isTLS12Only(suite.name) && ver.version < VersionTLS12 {
2551 shouldClientFail = true
2552 shouldServerFail = true
2553 }
2554 if !isTLS13Suite(suite.name) && ver.version >= VersionTLS13 {
2555 shouldClientFail = true
2556 shouldServerFail = true
2557 }
2558 if isTLS13Suite(suite.name) && ver.version < VersionTLS13 {
2559 shouldClientFail = true
2560 shouldServerFail = true
2561 }
2562 if !isDTLSCipher(suite.name) && protocol == dtls {
2563 shouldClientFail = true
2564 shouldServerFail = true
2565 }
2566
2567 var sendCipherSuite uint16
2568 var expectedServerError, expectedClientError string
2569 serverCipherSuites := []uint16{suite.id}
2570 if shouldServerFail {
2571 expectedServerError = ":NO_SHARED_CIPHER:"
2572 }
2573 if shouldClientFail {
2574 expectedClientError = ":WRONG_CIPHER_RETURNED:"
2575 // Configure the server to select ciphers as normal but
2576 // select an incompatible cipher in ServerHello.
2577 serverCipherSuites = nil
2578 sendCipherSuite = suite.id
2579 }
2580
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2581 // For cipher suites and versions where exporters are defined, verify
2582 // that they interoperate.
2583 var exportKeyingMaterial int
2584 if ver.version > VersionSSL30 {
2585 exportKeyingMaterial = 1024
2586 }
2587
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2588 testCases = append(testCases, testCase{
2589 testType: serverTest,
2590 protocol: protocol,
2591 name: prefix + ver.name + "-" + suite.name + "-server",
2592 config: Config{
2593 MinVersion: ver.version,
2594 MaxVersion: ver.version,
2595 CipherSuites: []uint16{suite.id},
2596 Certificates: []Certificate{cert},
2597 PreSharedKey: []byte(psk),
2598 PreSharedKeyIdentity: pskIdentity,
2599 Bugs: ProtocolBugs{
2600 AdvertiseAllConfiguredCiphers: true,
2601 },
2602 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2603 certFile: certFile,
2604 keyFile: keyFile,
2605 flags: flags,
2606 resumeSession: true,
2607 shouldFail: shouldServerFail,
2608 expectedError: expectedServerError,
2609 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2610 })
2611
2612 testCases = append(testCases, testCase{
2613 testType: clientTest,
2614 protocol: protocol,
2615 name: prefix + ver.name + "-" + suite.name + "-client",
2616 config: Config{
2617 MinVersion: ver.version,
2618 MaxVersion: ver.version,
2619 CipherSuites: serverCipherSuites,
2620 Certificates: []Certificate{cert},
2621 PreSharedKey: []byte(psk),
2622 PreSharedKeyIdentity: pskIdentity,
2623 Bugs: ProtocolBugs{
2624 IgnorePeerCipherPreferences: shouldClientFail,
2625 SendCipherSuite: sendCipherSuite,
2626 },
2627 },
David Benjamincdb6fe92017-02-07 16:06:48 -0500[diff] [blame]2628 flags: flags,
2629 resumeSession: true,
2630 shouldFail: shouldClientFail,
2631 expectedError: expectedClientError,
2632 exportKeyingMaterial: exportKeyingMaterial,
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2633 })
2634
David Benjamin6f600d62016-12-21 16:06:54 -0500[diff] [blame]2635 if shouldClientFail {
2636 return
2637 }
2638
2639 // Ensure the maximum record size is accepted.
2640 testCases = append(testCases, testCase{
2641 protocol: protocol,
2642 name: prefix + ver.name + "-" + suite.name + "-LargeRecord",
2643 config: Config{
2644 MinVersion: ver.version,
2645 MaxVersion: ver.version,
2646 CipherSuites: []uint16{suite.id},
2647 Certificates: []Certificate{cert},
2648 PreSharedKey: []byte(psk),
2649 PreSharedKeyIdentity: pskIdentity,
2650 },
2651 flags: flags,
2652 messageLen: maxPlaintext,
2653 })
2654
2655 // Test bad records for all ciphers. Bad records are fatal in TLS
2656 // and ignored in DTLS.
2657 var shouldFail bool
2658 var expectedError string
2659 if protocol == tls {
2660 shouldFail = true
2661 expectedError = ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:"
2662 }
2663
2664 testCases = append(testCases, testCase{
2665 protocol: protocol,
2666 name: prefix + ver.name + "-" + suite.name + "-BadRecord",
2667 config: Config{
2668 MinVersion: ver.version,
2669 MaxVersion: ver.version,
2670 CipherSuites: []uint16{suite.id},
2671 Certificates: []Certificate{cert},
2672 PreSharedKey: []byte(psk),
2673 PreSharedKeyIdentity: pskIdentity,
2674 },
2675 flags: flags,
2676 damageFirstWrite: true,
2677 messageLen: maxPlaintext,
2678 shouldFail: shouldFail,
2679 expectedError: expectedError,
2680 })
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2681}
2682
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2683func addCipherSuiteTests() {
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2684 const bogusCipher = 0xfe00
2685
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2686 if *includeDHE {
2687 testCipherSuites = append(testCipherSuites, []testCipherSuite{
2688 {"DHE-RSA-AES128-GCM", TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2689 {"DHE-RSA-AES128-SHA", TLS_DHE_RSA_WITH_AES_128_CBC_SHA},
2690 {"DHE-RSA-AES128-SHA256", TLS_DHE_RSA_WITH_AES_128_CBC_SHA256},
2691 {"DHE-RSA-AES256-GCM", TLS_DHE_RSA_WITH_AES_256_GCM_SHA384},
2692 {"DHE-RSA-AES256-SHA", TLS_DHE_RSA_WITH_AES_256_CBC_SHA},
2693 {"DHE-RSA-AES256-SHA256", TLS_DHE_RSA_WITH_AES_256_CBC_SHA256},
2694 }...)
2695 }
2696
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2697 for _, suite := range testCipherSuites {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2698 for _, ver := range tlsVersions {
David Benjamin0407e762016-06-17 16:41:18 -0400[diff] [blame]2699 for _, protocol := range []protocol{tls, dtls} {
David Benjaminaa012042016-12-10 13:33:05 -0500[diff] [blame]2700 addTestForCipherSuite(suite, ver, protocol)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2701 }
David Benjamin2c99d282015-09-01 10:23:00 -0400[diff] [blame]2702 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2703 }
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2704
2705 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2706 name: "NoSharedCipher",
2707 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2708 MaxVersion: VersionTLS12,
2709 CipherSuites: []uint16{},
2710 },
2711 shouldFail: true,
2712 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2713 })
2714
2715 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]2716 name: "NoSharedCipher-TLS13",
2717 config: Config{
2718 MaxVersion: VersionTLS13,
2719 CipherSuites: []uint16{},
2720 },
2721 shouldFail: true,
2722 expectedError: ":HANDSHAKE_FAILURE_ON_CLIENT_HELLO:",
2723 })
2724
2725 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2726 name: "UnsupportedCipherSuite",
2727 config: Config{
2728 MaxVersion: VersionTLS12,
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2729 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2730 Bugs: ProtocolBugs{
2731 IgnorePeerCipherPreferences: true,
2732 },
2733 },
Matt Braithwaite9c8c4182016-08-24 14:36:54 -0700[diff] [blame]2734 flags: []string{"-cipher", "DEFAULT:!AES"},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]2735 shouldFail: true,
2736 expectedError: ":WRONG_CIPHER_RETURNED:",
2737 })
2738
2739 testCases = append(testCases, testCase{
David Benjamine470e662016-07-18 15:47:32 +0200[diff] [blame]2740 name: "ServerHelloBogusCipher",
2741 config: Config{
2742 MaxVersion: VersionTLS12,
2743 Bugs: ProtocolBugs{
2744 SendCipherSuite: bogusCipher,
2745 },
2746 },
2747 shouldFail: true,
2748 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2749 })
2750 testCases = append(testCases, testCase{
2751 name: "ServerHelloBogusCipher-TLS13",
2752 config: Config{
2753 MaxVersion: VersionTLS13,
2754 Bugs: ProtocolBugs{
2755 SendCipherSuite: bogusCipher,
2756 },
2757 },
2758 shouldFail: true,
2759 expectedError: ":UNKNOWN_CIPHER_RETURNED:",
2760 })
2761
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2762 if *includeDHE {
2763 testCases = append(testCases, testCase{
2764 name: "WeakDH",
2765 config: Config{
2766 MaxVersion: VersionTLS12,
2767 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2768 Bugs: ProtocolBugs{
2769 // This is a 1023-bit prime number, generated
2770 // with:
2771 // openssl gendh 1023 | openssl asn1parse -i
2772 DHGroupPrime: bigFromHex("518E9B7930CE61C6E445C8360584E5FC78D9137C0FFDC880B495D5338ADF7689951A6821C17A76B3ACB8E0156AEA607B7EC406EBEDBB84D8376EB8FE8F8BA1433488BEE0C3EDDFD3A32DBB9481980A7AF6C96BFCF490A094CFFB2B8192C1BB5510B77B658436E27C2D4D023FE3718222AB0CA1273995B51F6D625A4944D0DD4B"),
2773 },
Adam Langleya7997f12015-05-14 17:38:50 -0700[diff] [blame]2774 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2775 shouldFail: true,
2776 expectedError: ":BAD_DH_P_LENGTH:",
2777 })
Adam Langleycef75832015-09-03 14:51:12 -0700[diff] [blame]2778
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2779 testCases = append(testCases, testCase{
2780 name: "SillyDH",
2781 config: Config{
2782 MaxVersion: VersionTLS12,
2783 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2784 Bugs: ProtocolBugs{
2785 // This is a 4097-bit prime number, generated
2786 // with:
2787 // openssl gendh 4097 | openssl asn1parse -i
2788 DHGroupPrime: bigFromHex("01D366FA64A47419B0CD4A45918E8D8C8430F674621956A9F52B0CA592BC104C6E38D60C58F2CA66792A2B7EBDC6F8FFE75AB7D6862C261F34E96A2AEEF53AB7C21365C2E8FB0582F71EB57B1C227C0E55AE859E9904A25EFECD7B435C4D4357BD840B03649D4A1F8037D89EA4E1967DBEEF1CC17A6111C48F12E9615FFF336D3F07064CB17C0B765A012C850B9E3AA7A6984B96D8C867DDC6D0F4AB52042572244796B7ECFF681CD3B3E2E29AAECA391A775BEE94E502FB15881B0F4AC60314EA947C0C82541C3D16FD8C0E09BB7F8F786582032859D9C13187CE6C0CB6F2D3EE6C3C9727C15F14B21D3CD2E02BDB9D119959B0E03DC9E5A91E2578762300B1517D2352FC1D0BB934A4C3E1B20CE9327DB102E89A6C64A8C3148EDFC5A94913933853442FA84451B31FD21E492F92DD5488E0D871AEBFE335A4B92431DEC69591548010E76A5B365D346786E9A2D3E589867D796AA5E25211201D757560D318A87DFB27F3E625BC373DB48BF94A63161C674C3D4265CB737418441B7650EABC209CF675A439BEB3E9D1AA1B79F67198A40CEFD1C89144F7D8BAF61D6AD36F466DA546B4174A0E0CAF5BD788C8243C7C2DDDCC3DB6FC89F12F17D19FBD9B0BC76FE92891CD6BA07BEA3B66EF12D0D85E788FD58675C1B0FBD16029DCC4D34E7A1A41471BDEDF78BF591A8B4E96D88BEC8EDC093E616292BFC096E69A916E8D624B"),
2789 },
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2790 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2791 shouldFail: true,
2792 expectedError: ":DH_P_TOO_LONG:",
2793 })
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2794
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2795 // This test ensures that Diffie-Hellman public values are padded with
2796 // zeros so that they're the same length as the prime. This is to avoid
2797 // hitting a bug in yaSSL.
2798 testCases = append(testCases, testCase{
2799 testType: serverTest,
2800 name: "DHPublicValuePadded",
2801 config: Config{
2802 MaxVersion: VersionTLS12,
2803 CipherSuites: []uint16{TLS_DHE_RSA_WITH_AES_128_GCM_SHA256},
2804 Bugs: ProtocolBugs{
2805 RequireDHPublicValueLen: (1025 + 7) / 8,
2806 },
Adam Langleyc4f25ce2015-11-26 16:39:08 -0800[diff] [blame]2807 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]2808 flags: []string{"-use-sparse-dh-prime"},
2809 })
2810 }
David Benjamincd24a392015-11-11 13:23:05 -0800[diff] [blame]2811
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2812 // The server must be tolerant to bogus ciphers.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2813 testCases = append(testCases, testCase{
2814 testType: serverTest,
2815 name: "UnknownCipher",
2816 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2817 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2818 CipherSuites: []uint16{bogusCipher, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2819 Bugs: ProtocolBugs{
2820 AdvertiseAllConfiguredCiphers: true,
2821 },
2822 },
2823 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2824
2825 // The server must be tolerant to bogus ciphers.
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2826 testCases = append(testCases, testCase{
2827 testType: serverTest,
2828 name: "UnknownCipher-TLS13",
2829 config: Config{
2830 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2831 CipherSuites: []uint16{bogusCipher, TLS_AES_128_GCM_SHA256},
David Benjamin5ecb88b2016-10-04 17:51:35 -0400[diff] [blame]2832 Bugs: ProtocolBugs{
2833 AdvertiseAllConfiguredCiphers: true,
2834 },
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]2835 },
2836 })
2837
David Benjamin78679342016-09-16 19:42:05 -0400[diff] [blame]2838 // Test empty ECDHE_PSK identity hints work as expected.
2839 testCases = append(testCases, testCase{
2840 name: "EmptyECDHEPSKHint",
2841 config: Config{
2842 MaxVersion: VersionTLS12,
2843 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
2844 PreSharedKey: []byte("secret"),
2845 },
2846 flags: []string{"-psk", "secret"},
2847 })
2848
2849 // Test empty PSK identity hints work as expected, even if an explicit
2850 // ServerKeyExchange is sent.
2851 testCases = append(testCases, testCase{
2852 name: "ExplicitEmptyPSKHint",
2853 config: Config{
2854 MaxVersion: VersionTLS12,
2855 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
2856 PreSharedKey: []byte("secret"),
2857 Bugs: ProtocolBugs{
2858 AlwaysSendPreSharedKeyIdentityHint: true,
2859 },
2860 },
2861 flags: []string{"-psk", "secret"},
2862 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2863}
2864
2865func addBadECDSASignatureTests() {
2866 for badR := BadValue(1); badR < NumBadValues; badR++ {
2867 for badS := BadValue(1); badS < NumBadValues; badS++ {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2868 testCases = append(testCases, testCase{
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2869 name: fmt.Sprintf("BadECDSA-%d-%d", badR, badS),
2870 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2871 MaxVersion: VersionTLS12,
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2872 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]2873 Certificates: []Certificate{ecdsaP256Certificate},
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2874 Bugs: ProtocolBugs{
2875 BadECDSAR: badR,
2876 BadECDSAS: badS,
2877 },
2878 },
2879 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2880 expectedError: ":BAD_SIGNATURE:",
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2881 })
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]2882 testCases = append(testCases, testCase{
2883 name: fmt.Sprintf("BadECDSA-%d-%d-TLS13", badR, badS),
2884 config: Config{
2885 MaxVersion: VersionTLS13,
2886 Certificates: []Certificate{ecdsaP256Certificate},
2887 Bugs: ProtocolBugs{
2888 BadECDSAR: badR,
2889 BadECDSAS: badS,
2890 },
2891 },
2892 shouldFail: true,
2893 expectedError: ":BAD_SIGNATURE:",
2894 })
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]2895 }
2896 }
2897}
2898
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2899func addCBCPaddingTests() {
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2900 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2901 name: "MaxCBCPadding",
2902 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2903 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2904 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2905 Bugs: ProtocolBugs{
2906 MaxPadding: true,
2907 },
2908 },
2909 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2910 })
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2911 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2912 name: "BadCBCPadding",
2913 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2914 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2915 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2916 Bugs: ProtocolBugs{
2917 PaddingFirstByteBad: true,
2918 },
2919 },
2920 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2921 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2922 })
2923 // OpenSSL previously had an issue where the first byte of padding in
2924 // 255 bytes of padding wasn't checked.
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]2925 testCases = append(testCases, testCase{
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2926 name: "BadCBCPadding255",
2927 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]2928 MaxVersion: VersionTLS12,
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2929 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2930 Bugs: ProtocolBugs{
2931 MaxPadding: true,
2932 PaddingFirstByteBadIf255: true,
2933 },
2934 },
2935 messageLen: 12, // 20 bytes of SHA-1 + 12 == 0 % block size
2936 shouldFail: true,
David Benjamin11d50f92016-03-10 15:55:45 -0500[diff] [blame]2937 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]2938 })
2939}
2940
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2941func addCBCSplittingTests() {
2942 testCases = append(testCases, testCase{
2943 name: "CBCRecordSplitting",
2944 config: Config{
2945 MaxVersion: VersionTLS10,
2946 MinVersion: VersionTLS10,
2947 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2948 },
David Benjaminac8302a2015-09-01 17:18:15 -0400[diff] [blame]2949 messageLen: -1, // read until EOF
2950 resumeSession: true,
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2951 flags: []string{
2952 "-async",
2953 "-write-different-record-sizes",
2954 "-cbc-record-splitting",
2955 },
David Benjamina8e3e0e2014-08-06 22:11:10 -0400[diff] [blame]2956 })
2957 testCases = append(testCases, testCase{
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]2958 name: "CBCRecordSplittingPartialWrite",
2959 config: Config{
2960 MaxVersion: VersionTLS10,
2961 MinVersion: VersionTLS10,
2962 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA},
2963 },
2964 messageLen: -1, // read until EOF
2965 flags: []string{
2966 "-async",
2967 "-write-different-record-sizes",
2968 "-cbc-record-splitting",
2969 "-partial-write",
2970 },
2971 })
2972}
2973
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2974func addClientAuthTests() {
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2975 // Add a dummy cert pool to stress certificate authority parsing.
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2976 certPool := x509.NewCertPool()
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]2977 for _, cert := range []Certificate{rsaCertificate, rsa1024Certificate} {
2978 cert, err := x509.ParseCertificate(cert.Certificate[0])
2979 if err != nil {
2980 panic(err)
2981 }
2982 certPool.AddCert(cert)
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2983 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]2984 caNames := certPool.Subjects()
David Benjamin407a10c2014-07-16 12:58:59 -0400[diff] [blame]2985
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2986 for _, ver := range tlsVersions {
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2987 testCases = append(testCases, testCase{
2988 testType: clientTest,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]2989 name: ver.name + "-Client-ClientAuth-RSA",
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2990 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]2991 MinVersion: ver.version,
2992 MaxVersion: ver.version,
2993 ClientAuth: RequireAnyClientCert,
2994 ClientCAs: certPool,
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2995 },
2996 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]2997 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
2998 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]2999 },
3000 })
3001 testCases = append(testCases, testCase{
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3002 testType: serverTest,
3003 name: ver.name + "-Server-ClientAuth-RSA",
3004 config: Config{
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3005 MinVersion: ver.version,
3006 MaxVersion: ver.version,
David Benjamin67666e72014-07-12 15:47:52 -0400[diff] [blame]3007 Certificates: []Certificate{rsaCertificate},
3008 },
3009 flags: []string{"-require-any-client-certificate"},
3010 })
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3011 if ver.version != VersionSSL30 {
3012 testCases = append(testCases, testCase{
3013 testType: serverTest,
3014 name: ver.name + "-Server-ClientAuth-ECDSA",
3015 config: Config{
3016 MinVersion: ver.version,
3017 MaxVersion: ver.version,
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3018 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3019 },
3020 flags: []string{"-require-any-client-certificate"},
3021 })
3022 testCases = append(testCases, testCase{
3023 testType: clientTest,
3024 name: ver.name + "-Client-ClientAuth-ECDSA",
3025 config: Config{
3026 MinVersion: ver.version,
3027 MaxVersion: ver.version,
3028 ClientAuth: RequireAnyClientCert,
3029 ClientCAs: certPool,
3030 },
3031 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3032 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3033 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamine098ec22014-08-27 23:13:20 -0400[diff] [blame]3034 },
3035 })
3036 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3037
3038 testCases = append(testCases, testCase{
3039 name: "NoClientCertificate-" + ver.name,
3040 config: Config{
3041 MinVersion: ver.version,
3042 MaxVersion: ver.version,
3043 ClientAuth: RequireAnyClientCert,
3044 },
3045 shouldFail: true,
3046 expectedLocalError: "client didn't provide a certificate",
3047 })
3048
3049 testCases = append(testCases, testCase{
3050 // Even if not configured to expect a certificate, OpenSSL will
3051 // return X509_V_OK as the verify_result.
3052 testType: serverTest,
3053 name: "NoClientCertificateRequested-Server-" + ver.name,
3054 config: Config{
3055 MinVersion: ver.version,
3056 MaxVersion: ver.version,
3057 },
3058 flags: []string{
3059 "-expect-verify-result",
3060 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3061 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3062 })
3063
3064 testCases = append(testCases, testCase{
3065 // If a client certificate is not provided, OpenSSL will still
3066 // return X509_V_OK as the verify_result.
3067 testType: serverTest,
3068 name: "NoClientCertificate-Server-" + ver.name,
3069 config: Config{
3070 MinVersion: ver.version,
3071 MaxVersion: ver.version,
3072 },
3073 flags: []string{
3074 "-expect-verify-result",
3075 "-verify-peer",
3076 },
David Benjamin5d9ba812016-10-07 20:51:20 -0400[diff] [blame]3077 resumeSession: true,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3078 })
3079
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3080 certificateRequired := "remote error: certificate required"
3081 if ver.version < VersionTLS13 {
3082 // Prior to TLS 1.3, the generic handshake_failure alert
3083 // was used.
3084 certificateRequired = "remote error: handshake failure"
3085 }
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3086 testCases = append(testCases, testCase{
3087 testType: serverTest,
3088 name: "RequireAnyClientCertificate-" + ver.name,
3089 config: Config{
3090 MinVersion: ver.version,
3091 MaxVersion: ver.version,
3092 },
David Benjamin1db9e1b2016-10-07 20:51:43 -0400[diff] [blame]3093 flags: []string{"-require-any-client-certificate"},
3094 shouldFail: true,
3095 expectedError: ":PEER_DID_NOT_RETURN_A_CERTIFICATE:",
3096 expectedLocalError: certificateRequired,
Adam Langley37646832016-08-01 16:16:46 -0700[diff] [blame]3097 })
3098
3099 if ver.version != VersionSSL30 {
3100 testCases = append(testCases, testCase{
3101 testType: serverTest,
3102 name: "SkipClientCertificate-" + ver.name,
3103 config: Config{
3104 MinVersion: ver.version,
3105 MaxVersion: ver.version,
3106 Bugs: ProtocolBugs{
3107 SkipClientCertificate: true,
3108 },
3109 },
3110 // Setting SSL_VERIFY_PEER allows anonymous clients.
3111 flags: []string{"-verify-peer"},
3112 shouldFail: true,
3113 expectedError: ":UNEXPECTED_MESSAGE:",
3114 })
3115 }
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3116
3117 testCases = append(testCases, testCase{
3118 testType: serverTest,
3119 name: ver.name + "-Server-CertReq-CA-List",
3120 config: Config{
3121 MinVersion: ver.version,
3122 MaxVersion: ver.version,
3123 Certificates: []Certificate{rsaCertificate},
3124 Bugs: ProtocolBugs{
3125 ExpectCertificateReqNames: caNames,
3126 },
3127 },
3128 flags: []string{
3129 "-require-any-client-certificate",
3130 "-use-client-ca-list", encodeDERValues(caNames),
3131 },
3132 })
3133
3134 testCases = append(testCases, testCase{
3135 testType: clientTest,
3136 name: ver.name + "-Client-CertReq-CA-List",
3137 config: Config{
3138 MinVersion: ver.version,
3139 MaxVersion: ver.version,
3140 Certificates: []Certificate{rsaCertificate},
3141 ClientAuth: RequireAnyClientCert,
3142 ClientCAs: certPool,
3143 },
3144 flags: []string{
3145 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3146 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3147 "-expect-client-ca-list", encodeDERValues(caNames),
3148 },
3149 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3150 }
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3151
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3152 // Client auth is only legal in certificate-based ciphers.
3153 testCases = append(testCases, testCase{
3154 testType: clientTest,
3155 name: "ClientAuth-PSK",
3156 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3157 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3158 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3159 PreSharedKey: []byte("secret"),
3160 ClientAuth: RequireAnyClientCert,
3161 },
3162 flags: []string{
3163 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3164 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3165 "-psk", "secret",
3166 },
3167 shouldFail: true,
3168 expectedError: ":UNEXPECTED_MESSAGE:",
3169 })
3170 testCases = append(testCases, testCase{
3171 testType: clientTest,
3172 name: "ClientAuth-ECDHE_PSK",
3173 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3174 MaxVersion: VersionTLS12,
David Benjaminc032dfa2016-05-12 14:54:57 -0400[diff] [blame]3175 CipherSuites: []uint16{TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA},
3176 PreSharedKey: []byte("secret"),
3177 ClientAuth: RequireAnyClientCert,
3178 },
3179 flags: []string{
3180 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3181 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3182 "-psk", "secret",
3183 },
3184 shouldFail: true,
3185 expectedError: ":UNEXPECTED_MESSAGE:",
3186 })
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3187
3188 // Regression test for a bug where the client CA list, if explicitly
3189 // set to NULL, was mis-encoded.
3190 testCases = append(testCases, testCase{
3191 testType: serverTest,
3192 name: "Null-Client-CA-List",
3193 config: Config{
3194 MaxVersion: VersionTLS12,
3195 Certificates: []Certificate{rsaCertificate},
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3196 Bugs: ProtocolBugs{
3197 ExpectCertificateReqNames: [][]byte{},
3198 },
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3199 },
3200 flags: []string{
3201 "-require-any-client-certificate",
Adam Langley2ff79332017-02-28 13:45:39 -0800[diff] [blame]3202 "-use-client-ca-list", "<NULL>",
David Benjamin2f8935d2016-07-13 19:47:39 -0400[diff] [blame]3203 },
3204 })
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]3205}
3206
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3207func addExtendedMasterSecretTests() {
3208 const expectEMSFlag = "-expect-extended-master-secret"
3209
3210 for _, with := range []bool{false, true} {
3211 prefix := "No"
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3212 if with {
3213 prefix = ""
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3214 }
3215
3216 for _, isClient := range []bool{false, true} {
3217 suffix := "-Server"
3218 testType := serverTest
3219 if isClient {
3220 suffix = "-Client"
3221 testType = clientTest
3222 }
3223
3224 for _, ver := range tlsVersions {
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3225 // In TLS 1.3, the extension is irrelevant and
3226 // always reports as enabled.
3227 var flags []string
3228 if with || ver.version >= VersionTLS13 {
3229 flags = []string{expectEMSFlag}
3230 }
3231
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3232 test := testCase{
3233 testType: testType,
3234 name: prefix + "ExtendedMasterSecret-" + ver.name + suffix,
3235 config: Config{
3236 MinVersion: ver.version,
3237 MaxVersion: ver.version,
3238 Bugs: ProtocolBugs{
3239 NoExtendedMasterSecret: !with,
3240 RequireExtendedMasterSecret: with,
3241 },
3242 },
David Benjamin48cae082014-10-27 01:06:24 -0400[diff] [blame]3243 flags: flags,
3244 shouldFail: ver.version == VersionSSL30 && with,
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3245 }
3246 if test.shouldFail {
3247 test.expectedLocalError = "extended master secret required but not supported by peer"
3248 }
3249 testCases = append(testCases, test)
3250 }
3251 }
3252 }
3253
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3254 for _, isClient := range []bool{false, true} {
3255 for _, supportedInFirstConnection := range []bool{false, true} {
3256 for _, supportedInResumeConnection := range []bool{false, true} {
3257 boolToWord := func(b bool) string {
3258 if b {
3259 return "Yes"
3260 }
3261 return "No"
3262 }
3263 suffix := boolToWord(supportedInFirstConnection) + "To" + boolToWord(supportedInResumeConnection) + "-"
3264 if isClient {
3265 suffix += "Client"
3266 } else {
3267 suffix += "Server"
3268 }
3269
3270 supportedConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3271 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3272 Bugs: ProtocolBugs{
3273 RequireExtendedMasterSecret: true,
3274 },
3275 }
3276
3277 noSupportConfig := Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3278 MaxVersion: VersionTLS12,
Adam Langleyba5934b2015-06-02 10:50:35 -0700[diff] [blame]3279 Bugs: ProtocolBugs{
3280 NoExtendedMasterSecret: true,
3281 },
3282 }
3283
3284 test := testCase{
3285 name: "ExtendedMasterSecret-" + suffix,
3286 resumeSession: true,
3287 }
3288
3289 if !isClient {
3290 test.testType = serverTest
3291 }
3292
3293 if supportedInFirstConnection {
3294 test.config = supportedConfig
3295 } else {
3296 test.config = noSupportConfig
3297 }
3298
3299 if supportedInResumeConnection {
3300 test.resumeConfig = &supportedConfig
3301 } else {
3302 test.resumeConfig = &noSupportConfig
3303 }
3304
3305 switch suffix {
3306 case "YesToYes-Client", "YesToYes-Server":
3307 // When a session is resumed, it should
3308 // still be aware that its master
3309 // secret was generated via EMS and
3310 // thus it's safe to use tls-unique.
3311 test.flags = []string{expectEMSFlag}
3312 case "NoToYes-Server":
3313 // If an original connection did not
3314 // contain EMS, but a resumption
3315 // handshake does, then a server should
3316 // not resume the session.
3317 test.expectResumeRejected = true
3318 case "YesToNo-Server":
3319 // Resuming an EMS session without the
3320 // EMS extension should cause the
3321 // server to abort the connection.
3322 test.shouldFail = true
3323 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3324 case "NoToYes-Client":
3325 // A client should abort a connection
3326 // where the server resumed a non-EMS
3327 // session but echoed the EMS
3328 // extension.
3329 test.shouldFail = true
3330 test.expectedError = ":RESUMED_NON_EMS_SESSION_WITH_EMS_EXTENSION:"
3331 case "YesToNo-Client":
3332 // A client should abort a connection
3333 // where the server didn't echo EMS
3334 // when the session used it.
3335 test.shouldFail = true
3336 test.expectedError = ":RESUMED_EMS_SESSION_WITHOUT_EMS_EXTENSION:"
3337 }
3338
3339 testCases = append(testCases, test)
3340 }
3341 }
3342 }
David Benjamin163c9562016-08-29 23:14:17 -0400[diff] [blame]3343
3344 // Switching EMS on renegotiation is forbidden.
3345 testCases = append(testCases, testCase{
3346 name: "ExtendedMasterSecret-Renego-NoEMS",
3347 config: Config{
3348 MaxVersion: VersionTLS12,
3349 Bugs: ProtocolBugs{
3350 NoExtendedMasterSecret: true,
3351 NoExtendedMasterSecretOnRenegotiation: true,
3352 },
3353 },
3354 renegotiate: 1,
3355 flags: []string{
3356 "-renegotiate-freely",
3357 "-expect-total-renegotiations", "1",
3358 },
3359 })
3360
3361 testCases = append(testCases, testCase{
3362 name: "ExtendedMasterSecret-Renego-Upgrade",
3363 config: Config{
3364 MaxVersion: VersionTLS12,
3365 Bugs: ProtocolBugs{
3366 NoExtendedMasterSecret: true,
3367 },
3368 },
3369 renegotiate: 1,
3370 flags: []string{
3371 "-renegotiate-freely",
3372 "-expect-total-renegotiations", "1",
3373 },
3374 shouldFail: true,
3375 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3376 })
3377
3378 testCases = append(testCases, testCase{
3379 name: "ExtendedMasterSecret-Renego-Downgrade",
3380 config: Config{
3381 MaxVersion: VersionTLS12,
3382 Bugs: ProtocolBugs{
3383 NoExtendedMasterSecretOnRenegotiation: true,
3384 },
3385 },
3386 renegotiate: 1,
3387 flags: []string{
3388 "-renegotiate-freely",
3389 "-expect-total-renegotiations", "1",
3390 },
3391 shouldFail: true,
3392 expectedError: ":RENEGOTIATION_EMS_MISMATCH:",
3393 })
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]3394}
3395
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3396type stateMachineTestConfig struct {
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3397 protocol protocol
3398 async bool
3399 splitHandshake bool
3400 packHandshakeFlight bool
3401 implicitHandshake bool
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3402}
3403
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]3404// Adds tests that try to cover the range of the handshake state machine, under
3405// various conditions. Some of these are redundant with other tests, but they
3406// only cover the synchronous case.
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3407func addAllStateMachineCoverageTests() {
3408 for _, async := range []bool{false, true} {
3409 for _, protocol := range []protocol{tls, dtls} {
3410 addStateMachineCoverageTests(stateMachineTestConfig{
3411 protocol: protocol,
3412 async: async,
3413 })
3414 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]3415 protocol: protocol,
3416 async: async,
3417 implicitHandshake: true,
3418 })
3419 addStateMachineCoverageTests(stateMachineTestConfig{
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3420 protocol: protocol,
3421 async: async,
3422 splitHandshake: true,
3423 })
3424 if protocol == tls {
3425 addStateMachineCoverageTests(stateMachineTestConfig{
3426 protocol: protocol,
3427 async: async,
3428 packHandshakeFlight: true,
3429 })
3430 }
3431 }
3432 }
3433}
3434
3435func addStateMachineCoverageTests(config stateMachineTestConfig) {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3436 var tests []testCase
3437
3438 // Basic handshake, with resumption. Client and server,
3439 // session ID and session ticket.
3440 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3441 name: "Basic-Client",
3442 config: Config{
3443 MaxVersion: VersionTLS12,
3444 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3445 resumeSession: true,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3446 // Ensure session tickets are used, not session IDs.
3447 noSessionCache: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3448 })
3449 tests = append(tests, testCase{
3450 name: "Basic-Client-RenewTicket",
3451 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3452 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3453 Bugs: ProtocolBugs{
3454 RenewTicketOnResume: true,
3455 },
3456 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3457 flags: []string{"-expect-ticket-renewal"},
3458 resumeSession: true,
3459 resumeRenewedSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3460 })
3461 tests = append(tests, testCase{
3462 name: "Basic-Client-NoTicket",
3463 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3464 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3465 SessionTicketsDisabled: true,
3466 },
3467 resumeSession: true,
3468 })
3469 tests = append(tests, testCase{
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3470 testType: serverTest,
3471 name: "Basic-Server",
3472 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3473 MaxVersion: VersionTLS12,
David Benjaminef1b0092015-11-21 14:05:44 -0500[diff] [blame]3474 Bugs: ProtocolBugs{
3475 RequireSessionTickets: true,
3476 },
3477 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3478 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3479 flags: []string{"-expect-no-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3480 })
3481 tests = append(tests, testCase{
3482 testType: serverTest,
3483 name: "Basic-Server-NoTickets",
3484 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3485 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3486 SessionTicketsDisabled: true,
3487 },
3488 resumeSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3489 flags: []string{"-expect-session-id"},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3490 })
3491 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3492 testType: serverTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3493 name: "Basic-Server-EarlyCallback",
3494 config: Config{
3495 MaxVersion: VersionTLS12,
3496 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3497 flags: []string{"-use-early-callback"},
3498 resumeSession: true,
3499 })
3500
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3501 // TLS 1.3 basic handshake shapes.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3502 if config.protocol == tls {
3503 tests = append(tests, testCase{
3504 name: "TLS13-1RTT-Client",
3505 config: Config{
3506 MaxVersion: VersionTLS13,
3507 MinVersion: VersionTLS13,
3508 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3509 resumeSession: true,
3510 resumeRenewedSession: true,
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3511 })
3512
3513 tests = append(tests, testCase{
3514 testType: serverTest,
3515 name: "TLS13-1RTT-Server",
3516 config: Config{
3517 MaxVersion: VersionTLS13,
3518 MinVersion: VersionTLS13,
3519 },
David Benjamin46662482016-08-17 00:51:00 -0400[diff] [blame]3520 resumeSession: true,
3521 resumeRenewedSession: true,
David Benjaminb5c58db2017-01-28 01:39:29 -0500[diff] [blame]3522 // TLS 1.3 uses tickets, so the session should not be
3523 // cached statefully.
3524 flags: []string{"-expect-no-session-id"},
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3525 })
3526
3527 tests = append(tests, testCase{
3528 name: "TLS13-HelloRetryRequest-Client",
3529 config: Config{
3530 MaxVersion: VersionTLS13,
3531 MinVersion: VersionTLS13,
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]3532 // P-384 requires a HelloRetryRequest against BoringSSL's default
3533 // configuration. Assert this with ExpectMissingKeyShare.
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3534 CurvePreferences: []CurveID{CurveP384},
3535 Bugs: ProtocolBugs{
3536 ExpectMissingKeyShare: true,
3537 },
3538 },
3539 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3540 resumeSession: true,
3541 })
3542
3543 tests = append(tests, testCase{
3544 testType: serverTest,
3545 name: "TLS13-HelloRetryRequest-Server",
3546 config: Config{
3547 MaxVersion: VersionTLS13,
3548 MinVersion: VersionTLS13,
3549 // Require a HelloRetryRequest for every curve.
3550 DefaultCurves: []CurveID{},
3551 },
3552 // Cover HelloRetryRequest during an ECDHE-PSK resumption.
3553 resumeSession: true,
3554 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]3555
3556 // TODO(svaldez): Send data on early data once implemented.
3557 tests = append(tests, testCase{
3558 testType: clientTest,
3559 name: "TLS13-EarlyData-Client",
3560 config: Config{
3561 MaxVersion: VersionTLS13,
3562 MinVersion: VersionTLS13,
3563 MaxEarlyDataSize: 16384,
3564 },
3565 resumeSession: true,
3566 flags: []string{
3567 "-enable-early-data",
3568 "-expect-early-data-info",
3569 "-expect-accept-early-data",
3570 },
3571 })
3572
3573 tests = append(tests, testCase{
3574 testType: serverTest,
3575 name: "TLS13-EarlyData-Server",
3576 config: Config{
3577 MaxVersion: VersionTLS13,
3578 MinVersion: VersionTLS13,
3579 Bugs: ProtocolBugs{
3580 SendEarlyData: [][]byte{},
3581 ExpectEarlyDataAccepted: true,
3582 },
3583 },
3584 resumeSession: true,
3585 flags: []string{
3586 "-enable-early-data",
3587 },
3588 })
David Benjamine73c7f42016-08-17 00:29:33 -0400[diff] [blame]3589 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3590
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3591 // TLS client auth.
3592 tests = append(tests, testCase{
3593 testType: clientTest,
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3594 name: "ClientAuth-NoCertificate-Client",
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3595 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3596 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3597 ClientAuth: RequestClientCert,
3598 },
3599 })
3600 tests = append(tests, testCase{
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3601 testType: serverTest,
3602 name: "ClientAuth-NoCertificate-Server",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3603 config: Config{
3604 MaxVersion: VersionTLS12,
3605 },
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3606 // Setting SSL_VERIFY_PEER allows anonymous clients.
3607 flags: []string{"-verify-peer"},
3608 })
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3609 if config.protocol == tls {
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3610 tests = append(tests, testCase{
3611 testType: clientTest,
3612 name: "ClientAuth-NoCertificate-Client-SSL3",
3613 config: Config{
3614 MaxVersion: VersionSSL30,
3615 ClientAuth: RequestClientCert,
3616 },
3617 })
3618 tests = append(tests, testCase{
3619 testType: serverTest,
3620 name: "ClientAuth-NoCertificate-Server-SSL3",
3621 config: Config{
3622 MaxVersion: VersionSSL30,
3623 },
3624 // Setting SSL_VERIFY_PEER allows anonymous clients.
3625 flags: []string{"-verify-peer"},
3626 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3627 tests = append(tests, testCase{
3628 testType: clientTest,
3629 name: "ClientAuth-NoCertificate-Client-TLS13",
3630 config: Config{
3631 MaxVersion: VersionTLS13,
3632 ClientAuth: RequestClientCert,
3633 },
3634 })
3635 tests = append(tests, testCase{
3636 testType: serverTest,
3637 name: "ClientAuth-NoCertificate-Server-TLS13",
3638 config: Config{
3639 MaxVersion: VersionTLS13,
3640 },
3641 // Setting SSL_VERIFY_PEER allows anonymous clients.
3642 flags: []string{"-verify-peer"},
3643 })
David Benjamin0b7ca7d2016-03-10 15:44:22 -0500[diff] [blame]3644 }
3645 tests = append(tests, testCase{
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3646 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3647 name: "ClientAuth-RSA-Client",
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3648 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3649 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3650 ClientAuth: RequireAnyClientCert,
3651 },
3652 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]3653 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3654 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3655 },
3656 })
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3657 tests = append(tests, testCase{
3658 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3659 name: "ClientAuth-RSA-Client-TLS13",
3660 config: Config{
3661 MaxVersion: VersionTLS13,
3662 ClientAuth: RequireAnyClientCert,
3663 },
3664 flags: []string{
3665 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3666 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3667 },
3668 })
3669 tests = append(tests, testCase{
3670 testType: clientTest,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3671 name: "ClientAuth-ECDSA-Client",
3672 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3673 MaxVersion: VersionTLS12,
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3674 ClientAuth: RequireAnyClientCert,
3675 },
3676 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3677 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3678 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
nagendra modadugu3398dbf2015-08-07 14:07:52 -0700[diff] [blame]3679 },
3680 })
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3681 tests = append(tests, testCase{
3682 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3683 name: "ClientAuth-ECDSA-Client-TLS13",
3684 config: Config{
3685 MaxVersion: VersionTLS13,
3686 ClientAuth: RequireAnyClientCert,
3687 },
3688 flags: []string{
3689 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3690 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
3691 },
3692 })
3693 tests = append(tests, testCase{
3694 testType: clientTest,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3695 name: "ClientAuth-NoCertificate-OldCallback",
3696 config: Config{
3697 MaxVersion: VersionTLS12,
3698 ClientAuth: RequestClientCert,
3699 },
3700 flags: []string{"-use-old-client-cert-callback"},
3701 })
3702 tests = append(tests, testCase{
3703 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3704 name: "ClientAuth-NoCertificate-OldCallback-TLS13",
3705 config: Config{
3706 MaxVersion: VersionTLS13,
3707 ClientAuth: RequestClientCert,
3708 },
3709 flags: []string{"-use-old-client-cert-callback"},
3710 })
3711 tests = append(tests, testCase{
3712 testType: clientTest,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3713 name: "ClientAuth-OldCallback",
3714 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3715 MaxVersion: VersionTLS12,
David Benjaminacb6dcc2016-03-10 09:15:01 -0500[diff] [blame]3716 ClientAuth: RequireAnyClientCert,
3717 },
3718 flags: []string{
3719 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3720 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3721 "-use-old-client-cert-callback",
3722 },
3723 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3724 tests = append(tests, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3725 testType: clientTest,
3726 name: "ClientAuth-OldCallback-TLS13",
3727 config: Config{
3728 MaxVersion: VersionTLS13,
3729 ClientAuth: RequireAnyClientCert,
3730 },
3731 flags: []string{
3732 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3733 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3734 "-use-old-client-cert-callback",
3735 },
3736 })
3737 tests = append(tests, testCase{
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3738 testType: serverTest,
3739 name: "ClientAuth-Server",
3740 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3741 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3742 Certificates: []Certificate{rsaCertificate},
3743 },
3744 flags: []string{"-require-any-client-certificate"},
3745 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3746 tests = append(tests, testCase{
3747 testType: serverTest,
3748 name: "ClientAuth-Server-TLS13",
3749 config: Config{
3750 MaxVersion: VersionTLS13,
3751 Certificates: []Certificate{rsaCertificate},
3752 },
3753 flags: []string{"-require-any-client-certificate"},
3754 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3755
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3756 // Test each key exchange on the server side for async keys.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3757 tests = append(tests, testCase{
3758 testType: serverTest,
3759 name: "Basic-Server-RSA",
3760 config: Config{
3761 MaxVersion: VersionTLS12,
3762 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
3763 },
3764 flags: []string{
3765 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3766 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3767 },
3768 })
3769 tests = append(tests, testCase{
3770 testType: serverTest,
3771 name: "Basic-Server-ECDHE-RSA",
3772 config: Config{
3773 MaxVersion: VersionTLS12,
3774 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
3775 },
3776 flags: []string{
3777 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
3778 "-key-file", path.Join(*resourceDir, rsaKeyFile),
3779 },
3780 })
3781 tests = append(tests, testCase{
3782 testType: serverTest,
3783 name: "Basic-Server-ECDHE-ECDSA",
3784 config: Config{
3785 MaxVersion: VersionTLS12,
3786 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
3787 },
3788 flags: []string{
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]3789 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
3790 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3791 },
3792 })
3793
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3794 // No session ticket support; server doesn't send NewSessionTicket.
3795 tests = append(tests, testCase{
3796 name: "SessionTicketsDisabled-Client",
3797 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3798 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3799 SessionTicketsDisabled: true,
3800 },
3801 })
3802 tests = append(tests, testCase{
3803 testType: serverTest,
3804 name: "SessionTicketsDisabled-Server",
3805 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3806 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3807 SessionTicketsDisabled: true,
3808 },
3809 })
3810
3811 // Skip ServerKeyExchange in PSK key exchange if there's no
3812 // identity hint.
3813 tests = append(tests, testCase{
3814 name: "EmptyPSKHint-Client",
3815 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3816 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3817 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3818 PreSharedKey: []byte("secret"),
3819 },
3820 flags: []string{"-psk", "secret"},
3821 })
3822 tests = append(tests, testCase{
3823 testType: serverTest,
3824 name: "EmptyPSKHint-Server",
3825 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]3826 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3827 CipherSuites: []uint16{TLS_PSK_WITH_AES_128_CBC_SHA},
3828 PreSharedKey: []byte("secret"),
3829 },
3830 flags: []string{"-psk", "secret"},
3831 })
3832
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3833 // OCSP stapling tests.
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3834 tests = append(tests, testCase{
3835 testType: clientTest,
3836 name: "OCSPStapling-Client",
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3837 config: Config{
3838 MaxVersion: VersionTLS12,
3839 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3840 flags: []string{
3841 "-enable-ocsp-stapling",
3842 "-expect-ocsp-response",
3843 base64.StdEncoding.EncodeToString(testOCSPResponse),
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3844 "-verify-peer",
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3845 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3846 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3847 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3848 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3849 testType: serverTest,
3850 name: "OCSPStapling-Server",
3851 config: Config{
3852 MaxVersion: VersionTLS12,
3853 },
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3854 expectedOCSPResponse: testOCSPResponse,
3855 flags: []string{
3856 "-ocsp-response",
3857 base64.StdEncoding.EncodeToString(testOCSPResponse),
3858 },
Paul Lietar62be8ac2015-09-16 10:03:30 +0100[diff] [blame]3859 resumeSession: true,
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3860 })
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3861 tests = append(tests, testCase{
3862 testType: clientTest,
3863 name: "OCSPStapling-Client-TLS13",
3864 config: Config{
3865 MaxVersion: VersionTLS13,
3866 },
3867 flags: []string{
3868 "-enable-ocsp-stapling",
3869 "-expect-ocsp-response",
3870 base64.StdEncoding.EncodeToString(testOCSPResponse),
3871 "-verify-peer",
3872 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3873 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3874 })
3875 tests = append(tests, testCase{
3876 testType: serverTest,
3877 name: "OCSPStapling-Server-TLS13",
3878 config: Config{
3879 MaxVersion: VersionTLS13,
3880 },
3881 expectedOCSPResponse: testOCSPResponse,
3882 flags: []string{
3883 "-ocsp-response",
3884 base64.StdEncoding.EncodeToString(testOCSPResponse),
3885 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3886 resumeSession: true,
David Benjamin942f4ed2016-07-16 19:03:49 +0300[diff] [blame]3887 })
Paul Lietaraeeff2c2015-08-12 11:47:11 +0100[diff] [blame]3888
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3889 // Certificate verification tests.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3890 for _, vers := range tlsVersions {
3891 if config.protocol == dtls && !vers.hasDTLS {
3892 continue
3893 }
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3894 for _, testType := range []testType{clientTest, serverTest} {
3895 suffix := "-Client"
3896 if testType == serverTest {
3897 suffix = "-Server"
3898 }
3899 suffix += "-" + vers.name
3900
3901 flag := "-verify-peer"
3902 if testType == serverTest {
3903 flag = "-require-any-client-certificate"
3904 }
3905
3906 tests = append(tests, testCase{
3907 testType: testType,
3908 name: "CertificateVerificationSucceed" + suffix,
3909 config: Config{
3910 MaxVersion: vers.version,
3911 Certificates: []Certificate{rsaCertificate},
3912 },
3913 flags: []string{
3914 flag,
3915 "-expect-verify-result",
3916 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3917 resumeSession: true,
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3918 })
3919 tests = append(tests, testCase{
3920 testType: testType,
3921 name: "CertificateVerificationFail" + suffix,
3922 config: Config{
3923 MaxVersion: vers.version,
3924 Certificates: []Certificate{rsaCertificate},
3925 },
3926 flags: []string{
3927 flag,
3928 "-verify-fail",
3929 },
3930 shouldFail: true,
3931 expectedError: ":CERTIFICATE_VERIFY_FAILED:",
3932 })
3933 }
3934
3935 // By default, the client is in a soft fail mode where the peer
3936 // certificate is verified but failures are non-fatal.
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3937 tests = append(tests, testCase{
3938 testType: clientTest,
3939 name: "CertificateVerificationSoftFail-" + vers.name,
3940 config: Config{
David Benjaminbb9e36e2016-08-03 14:14:47 -0400[diff] [blame]3941 MaxVersion: vers.version,
3942 Certificates: []Certificate{rsaCertificate},
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3943 },
3944 flags: []string{
3945 "-verify-fail",
3946 "-expect-verify-result",
3947 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]3948 resumeSession: true,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]3949 })
3950 }
Paul Lietar8f1c2682015-08-18 12:21:54 +0100[diff] [blame]3951
David Benjamin1d4f4c02016-07-26 18:03:08 -0400[diff] [blame]3952 tests = append(tests, testCase{
3953 name: "ShimSendAlert",
3954 flags: []string{"-send-alert"},
3955 shimWritesFirst: true,
3956 shouldFail: true,
3957 expectedLocalError: "remote error: decompression failure",
3958 })
3959
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]3960 if config.protocol == tls {
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3961 tests = append(tests, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3962 name: "Renegotiate-Client",
3963 config: Config{
3964 MaxVersion: VersionTLS12,
3965 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]3966 renegotiate: 1,
3967 flags: []string{
3968 "-renegotiate-freely",
3969 "-expect-total-renegotiations", "1",
3970 },
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3971 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3972
David Benjamin47921102016-07-28 11:29:18 -0400[diff] [blame]3973 tests = append(tests, testCase{
3974 name: "SendHalfHelloRequest",
3975 config: Config{
3976 MaxVersion: VersionTLS12,
3977 Bugs: ProtocolBugs{
3978 PackHelloRequestWithFinished: config.packHandshakeFlight,
3979 },
3980 },
3981 sendHalfHelloRequest: true,
3982 flags: []string{"-renegotiate-ignore"},
3983 shouldFail: true,
3984 expectedError: ":UNEXPECTED_RECORD:",
3985 })
3986
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3987 // NPN on client and server; results in post-handshake message.
3988 tests = append(tests, testCase{
3989 name: "NPN-Client",
3990 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]3991 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3992 NextProtos: []string{"foo"},
3993 },
3994 flags: []string{"-select-next-proto", "foo"},
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]3995 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]3996 expectedNextProto: "foo",
3997 expectedNextProtoType: npn,
3998 })
3999 tests = append(tests, testCase{
4000 testType: serverTest,
4001 name: "NPN-Server",
4002 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4003 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4004 NextProtos: []string{"bar"},
4005 },
4006 flags: []string{
4007 "-advertise-npn", "\x03foo\x03bar\x03baz",
4008 "-expect-next-proto", "bar",
4009 },
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4010 resumeSession: true,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4011 expectedNextProto: "bar",
4012 expectedNextProtoType: npn,
4013 })
4014
4015 // TODO(davidben): Add tests for when False Start doesn't trigger.
4016
4017 // Client does False Start and negotiates NPN.
4018 tests = append(tests, testCase{
4019 name: "FalseStart",
4020 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4021 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4022 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4023 NextProtos: []string{"foo"},
4024 Bugs: ProtocolBugs{
4025 ExpectFalseStart: true,
4026 },
4027 },
4028 flags: []string{
4029 "-false-start",
4030 "-select-next-proto", "foo",
4031 },
4032 shimWritesFirst: true,
4033 resumeSession: true,
4034 })
4035
4036 // Client does False Start and negotiates ALPN.
4037 tests = append(tests, testCase{
4038 name: "FalseStart-ALPN",
4039 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4040 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4041 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4042 NextProtos: []string{"foo"},
4043 Bugs: ProtocolBugs{
4044 ExpectFalseStart: true,
4045 },
4046 },
4047 flags: []string{
4048 "-false-start",
4049 "-advertise-alpn", "\x03foo",
4050 },
4051 shimWritesFirst: true,
4052 resumeSession: true,
4053 })
4054
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4055 // False Start without session tickets.
4056 tests = append(tests, testCase{
4057 name: "FalseStart-SessionTicketsDisabled",
4058 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4059 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4060 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
4061 NextProtos: []string{"foo"},
4062 SessionTicketsDisabled: true,
4063 Bugs: ProtocolBugs{
4064 ExpectFalseStart: true,
4065 },
4066 },
4067 flags: []string{
4068 "-false-start",
4069 "-select-next-proto", "foo",
4070 },
4071 shimWritesFirst: true,
4072 })
4073
4074 // Server parses a V2ClientHello.
4075 tests = append(tests, testCase{
4076 testType: serverTest,
4077 name: "SendV2ClientHello",
4078 config: Config{
4079 // Choose a cipher suite that does not involve
4080 // elliptic curves, so no extensions are
4081 // involved.
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4082 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]4083 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4084 Bugs: ProtocolBugs{
4085 SendV2ClientHello: true,
4086 },
4087 },
4088 })
4089
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4090 // Test Channel ID
4091 for _, ver := range tlsVersions {
Nick Harperc9846112016-10-17 15:05:35 -0700[diff] [blame]4092 if ver.version < VersionTLS10 {
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4093 continue
4094 }
4095 // Client sends a Channel ID.
4096 tests = append(tests, testCase{
4097 name: "ChannelID-Client-" + ver.name,
4098 config: Config{
4099 MaxVersion: ver.version,
4100 RequestChannelID: true,
4101 },
4102 flags: []string{"-send-channel-id", path.Join(*resourceDir, channelIDKeyFile)},
4103 resumeSession: true,
4104 expectChannelID: true,
4105 })
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4106
Nick Harper60a85cb2016-09-23 16:25:11 -0700[diff] [blame]4107 // Server accepts a Channel ID.
4108 tests = append(tests, testCase{
4109 testType: serverTest,
4110 name: "ChannelID-Server-" + ver.name,
4111 config: Config{
4112 MaxVersion: ver.version,
4113 ChannelID: channelIDKey,
4114 },
4115 flags: []string{
4116 "-expect-channel-id",
4117 base64.StdEncoding.EncodeToString(channelIDBytes),
4118 },
4119 resumeSession: true,
4120 expectChannelID: true,
4121 })
4122
4123 tests = append(tests, testCase{
4124 testType: serverTest,
4125 name: "InvalidChannelIDSignature-" + ver.name,
4126 config: Config{
4127 MaxVersion: ver.version,
4128 ChannelID: channelIDKey,
4129 Bugs: ProtocolBugs{
4130 InvalidChannelIDSignature: true,
4131 },
4132 },
4133 flags: []string{"-enable-channel-id"},
4134 shouldFail: true,
4135 expectedError: ":CHANNEL_ID_SIGNATURE_INVALID:",
4136 })
4137 }
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4138
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4139 // Channel ID and NPN at the same time, to ensure their relative
4140 // ordering is correct.
4141 tests = append(tests, testCase{
4142 name: "ChannelID-NPN-Client",
4143 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4144 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4145 RequestChannelID: true,
4146 NextProtos: []string{"foo"},
4147 },
4148 flags: []string{
4149 "-send-channel-id", path.Join(*resourceDir, channelIDKeyFile),
4150 "-select-next-proto", "foo",
4151 },
4152 resumeSession: true,
4153 expectChannelID: true,
4154 expectedNextProto: "foo",
4155 expectedNextProtoType: npn,
4156 })
4157 tests = append(tests, testCase{
4158 testType: serverTest,
4159 name: "ChannelID-NPN-Server",
4160 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4161 MaxVersion: VersionTLS12,
David Benjaminf8fcdf32016-06-08 15:56:13 -0400[diff] [blame]4162 ChannelID: channelIDKey,
4163 NextProtos: []string{"bar"},
4164 },
4165 flags: []string{
4166 "-expect-channel-id",
4167 base64.StdEncoding.EncodeToString(channelIDBytes),
4168 "-advertise-npn", "\x03foo\x03bar\x03baz",
4169 "-expect-next-proto", "bar",
4170 },
4171 resumeSession: true,
4172 expectChannelID: true,
4173 expectedNextProto: "bar",
4174 expectedNextProtoType: npn,
4175 })
4176
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4177 // Bidirectional shutdown with the runner initiating.
4178 tests = append(tests, testCase{
4179 name: "Shutdown-Runner",
4180 config: Config{
4181 Bugs: ProtocolBugs{
4182 ExpectCloseNotify: true,
4183 },
4184 },
4185 flags: []string{"-check-close-notify"},
4186 })
4187
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4188 if !config.implicitHandshake {
4189 // Bidirectional shutdown with the shim initiating. The runner,
4190 // in the meantime, sends garbage before the close_notify which
4191 // the shim must ignore. This test is disabled under implicit
4192 // handshake tests because the shim never reads or writes.
4193 tests = append(tests, testCase{
4194 name: "Shutdown-Shim",
4195 config: Config{
4196 MaxVersion: VersionTLS12,
4197 Bugs: ProtocolBugs{
4198 ExpectCloseNotify: true,
4199 },
David Benjamin30789da2015-08-29 22:56:45 -0400[diff] [blame]4200 },
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4201 shimShutsDown: true,
4202 sendEmptyRecords: 1,
4203 sendWarningAlerts: 1,
4204 flags: []string{"-check-close-notify"},
4205 })
4206 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4207 } else {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4208 // TODO(davidben): DTLS 1.3 will want a similar thing for
4209 // HelloRetryRequest.
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4210 tests = append(tests, testCase{
4211 name: "SkipHelloVerifyRequest",
4212 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4213 MaxVersion: VersionTLS12,
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4214 Bugs: ProtocolBugs{
4215 SkipHelloVerifyRequest: true,
4216 },
4217 },
4218 })
4219 }
4220
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4221 for _, test := range tests {
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4222 test.protocol = config.protocol
4223 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4224 test.name += "-DTLS"
4225 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4226 if config.async {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4227 test.name += "-Async"
4228 test.flags = append(test.flags, "-async")
4229 } else {
4230 test.name += "-Sync"
4231 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4232 if config.splitHandshake {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4233 test.name += "-SplitHandshakeRecords"
4234 test.config.Bugs.MaxHandshakeRecordLength = 1
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4235 if config.protocol == dtls {
David Benjamin16285ea2015-11-03 15:39:45 -0500[diff] [blame]4236 test.config.Bugs.MaxPacketLength = 256
4237 test.flags = append(test.flags, "-mtu", "256")
4238 }
4239 }
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]4240 if config.packHandshakeFlight {
4241 test.name += "-PackHandshakeFlight"
4242 test.config.Bugs.PackHandshakeFlight = true
4243 }
David Benjamine3843d42017-03-25 18:00:56 -0500[diff] [blame]4244 if config.implicitHandshake {
4245 test.name += "-ImplicitHandshake"
4246 test.flags = append(test.flags, "-implicit-handshake")
4247 }
David Benjamin760b1dd2015-05-15 23:33:48 -0400[diff] [blame]4248 testCases = append(testCases, test)
David Benjamin6fd297b2014-08-11 18:43:38 -0400[diff] [blame]4249 }
David Benjamin43ec06f2014-08-05 02:28:57 -0400[diff] [blame]4250}
4251
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4252func addDDoSCallbackTests() {
4253 // DDoS callback.
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4254 for _, resume := range []bool{false, true} {
4255 suffix := "Resume"
4256 if resume {
4257 suffix = "No" + suffix
4258 }
4259
4260 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4261 testType: serverTest,
4262 name: "Server-DDoS-OK-" + suffix,
4263 config: Config{
4264 MaxVersion: VersionTLS12,
4265 },
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4266 flags: []string{"-install-ddos-callback"},
4267 resumeSession: resume,
4268 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4269 testCases = append(testCases, testCase{
4270 testType: serverTest,
4271 name: "Server-DDoS-OK-" + suffix + "-TLS13",
4272 config: Config{
4273 MaxVersion: VersionTLS13,
4274 },
4275 flags: []string{"-install-ddos-callback"},
4276 resumeSession: resume,
4277 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4278
4279 failFlag := "-fail-ddos-callback"
4280 if resume {
4281 failFlag = "-fail-second-ddos-callback"
4282 }
4283 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4284 testType: serverTest,
4285 name: "Server-DDoS-Reject-" + suffix,
4286 config: Config{
4287 MaxVersion: VersionTLS12,
4288 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4289 flags: []string{"-install-ddos-callback", failFlag},
4290 resumeSession: resume,
4291 shouldFail: true,
4292 expectedError: ":CONNECTION_REJECTED:",
4293 expectedLocalError: "remote error: internal error",
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4294 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4295 testCases = append(testCases, testCase{
4296 testType: serverTest,
4297 name: "Server-DDoS-Reject-" + suffix + "-TLS13",
4298 config: Config{
4299 MaxVersion: VersionTLS13,
4300 },
David Benjamin2c66e072016-09-16 15:58:00 -0400[diff] [blame]4301 flags: []string{"-install-ddos-callback", failFlag},
4302 resumeSession: resume,
4303 shouldFail: true,
4304 expectedError: ":CONNECTION_REJECTED:",
4305 expectedLocalError: "remote error: internal error",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4306 })
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]4307 }
4308}
4309
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4310func addVersionNegotiationTests() {
4311 for i, shimVers := range tlsVersions {
4312 // Assemble flags to disable all newer versions on the shim.
4313 var flags []string
4314 for _, vers := range tlsVersions[i+1:] {
4315 flags = append(flags, vers.flag)
4316 }
4317
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4318 // Test configuring the runner's maximum version.
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4319 for _, runnerVers := range tlsVersions {
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4320 protocols := []protocol{tls}
4321 if runnerVers.hasDTLS && shimVers.hasDTLS {
4322 protocols = append(protocols, dtls)
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4323 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4324 for _, protocol := range protocols {
4325 expectedVersion := shimVers.version
4326 if runnerVers.version < shimVers.version {
4327 expectedVersion = runnerVers.version
4328 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4329
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4330 suffix := shimVers.name + "-" + runnerVers.name
4331 if protocol == dtls {
4332 suffix += "-DTLS"
4333 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4334
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4335 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4336
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4337 // Determine the expected initial record-layer versions.
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4338 clientVers := shimVers.version
4339 if clientVers > VersionTLS10 {
4340 clientVers = VersionTLS10
4341 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4342 clientVers = versionToWire(clientVers, protocol == dtls)
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4343 serverVers := expectedVersion
4344 if expectedVersion >= VersionTLS13 {
4345 serverVers = VersionTLS10
4346 }
David Benjaminb1dd8cd2016-09-26 19:20:48 -0400[diff] [blame]4347 serverVers = versionToWire(serverVers, protocol == dtls)
4348
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4349 testCases = append(testCases, testCase{
4350 protocol: protocol,
4351 testType: clientTest,
4352 name: "VersionNegotiation-Client-" + suffix,
4353 config: Config{
4354 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4355 Bugs: ProtocolBugs{
4356 ExpectInitialRecordVersion: clientVers,
4357 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4358 },
4359 flags: flags,
4360 expectedVersion: expectedVersion,
4361 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4362 testCases = append(testCases, testCase{
4363 protocol: protocol,
4364 testType: clientTest,
4365 name: "VersionNegotiation-Client2-" + suffix,
4366 config: Config{
4367 MaxVersion: runnerVers.version,
4368 Bugs: ProtocolBugs{
4369 ExpectInitialRecordVersion: clientVers,
4370 },
4371 },
4372 flags: []string{"-max-version", shimVersFlag},
4373 expectedVersion: expectedVersion,
4374 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4375
4376 testCases = append(testCases, testCase{
4377 protocol: protocol,
4378 testType: serverTest,
4379 name: "VersionNegotiation-Server-" + suffix,
4380 config: Config{
4381 MaxVersion: runnerVers.version,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4382 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4383 ExpectInitialRecordVersion: serverVers,
David Benjamin1e29a6b2014-12-10 02:27:24 -0500[diff] [blame]4384 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4385 },
4386 flags: flags,
4387 expectedVersion: expectedVersion,
4388 })
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4389 testCases = append(testCases, testCase{
4390 protocol: protocol,
4391 testType: serverTest,
4392 name: "VersionNegotiation-Server2-" + suffix,
4393 config: Config{
4394 MaxVersion: runnerVers.version,
4395 Bugs: ProtocolBugs{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]4396 ExpectInitialRecordVersion: serverVers,
David Benjamin1eb367c2014-12-12 18:17:51 -0500[diff] [blame]4397 },
4398 },
4399 flags: []string{"-max-version", shimVersFlag},
4400 expectedVersion: expectedVersion,
4401 })
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]4402 }
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4403 }
4404 }
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4405
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4406 // Test the version extension at all versions.
4407 for _, vers := range tlsVersions {
4408 protocols := []protocol{tls}
4409 if vers.hasDTLS {
4410 protocols = append(protocols, dtls)
4411 }
4412 for _, protocol := range protocols {
4413 suffix := vers.name
4414 if protocol == dtls {
4415 suffix += "-DTLS"
4416 }
4417
4418 wireVersion := versionToWire(vers.version, protocol == dtls)
4419 testCases = append(testCases, testCase{
4420 protocol: protocol,
4421 testType: serverTest,
4422 name: "VersionNegotiationExtension-" + suffix,
4423 config: Config{
4424 Bugs: ProtocolBugs{
4425 SendSupportedVersions: []uint16{0x1111, wireVersion, 0x2222},
4426 },
4427 },
4428 expectedVersion: vers.version,
4429 })
4430 }
4431
4432 }
4433
4434 // If all versions are unknown, negotiation fails.
4435 testCases = append(testCases, testCase{
4436 testType: serverTest,
4437 name: "NoSupportedVersions",
4438 config: Config{
4439 Bugs: ProtocolBugs{
4440 SendSupportedVersions: []uint16{0x1111},
4441 },
4442 },
4443 shouldFail: true,
4444 expectedError: ":UNSUPPORTED_PROTOCOL:",
4445 })
4446 testCases = append(testCases, testCase{
4447 protocol: dtls,
4448 testType: serverTest,
4449 name: "NoSupportedVersions-DTLS",
4450 config: Config{
4451 Bugs: ProtocolBugs{
4452 SendSupportedVersions: []uint16{0x1111},
4453 },
4454 },
4455 shouldFail: true,
4456 expectedError: ":UNSUPPORTED_PROTOCOL:",
4457 })
4458
4459 testCases = append(testCases, testCase{
4460 testType: serverTest,
4461 name: "ClientHelloVersionTooHigh",
4462 config: Config{
4463 MaxVersion: VersionTLS13,
4464 Bugs: ProtocolBugs{
4465 SendClientVersion: 0x0304,
4466 OmitSupportedVersions: true,
4467 },
4468 },
4469 expectedVersion: VersionTLS12,
4470 })
4471
4472 testCases = append(testCases, testCase{
4473 testType: serverTest,
4474 name: "ConflictingVersionNegotiation",
4475 config: Config{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4476 Bugs: ProtocolBugs{
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4477 SendClientVersion: VersionTLS12,
4478 SendSupportedVersions: []uint16{VersionTLS11},
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4479 },
4480 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4481 // The extension takes precedence over the ClientHello version.
4482 expectedVersion: VersionTLS11,
4483 })
4484
4485 testCases = append(testCases, testCase{
4486 testType: serverTest,
4487 name: "ConflictingVersionNegotiation-2",
4488 config: Config{
4489 Bugs: ProtocolBugs{
4490 SendClientVersion: VersionTLS11,
4491 SendSupportedVersions: []uint16{VersionTLS12},
4492 },
4493 },
4494 // The extension takes precedence over the ClientHello version.
4495 expectedVersion: VersionTLS12,
4496 })
4497
4498 testCases = append(testCases, testCase{
4499 testType: serverTest,
4500 name: "RejectFinalTLS13",
4501 config: Config{
4502 Bugs: ProtocolBugs{
4503 SendSupportedVersions: []uint16{VersionTLS13, VersionTLS12},
4504 },
4505 },
4506 // We currently implement a draft TLS 1.3 version. Ensure that
4507 // the true TLS 1.3 value is ignored for now.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4508 expectedVersion: VersionTLS12,
4509 })
4510
Brian Smithf85d3232016-10-28 10:34:06 -1000[diff] [blame]4511 // Test that the maximum version is selected regardless of the
4512 // client-sent order.
4513 testCases = append(testCases, testCase{
4514 testType: serverTest,
4515 name: "IgnoreClientVersionOrder",
4516 config: Config{
4517 Bugs: ProtocolBugs{
4518 SendSupportedVersions: []uint16{VersionTLS12, tls13DraftVersion},
4519 },
4520 },
4521 expectedVersion: VersionTLS13,
4522 })
4523
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4524 // Test for version tolerance.
4525 testCases = append(testCases, testCase{
4526 testType: serverTest,
4527 name: "MinorVersionTolerance",
4528 config: Config{
4529 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4530 SendClientVersion: 0x03ff,
4531 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4532 },
4533 },
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4534 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4535 })
4536 testCases = append(testCases, testCase{
4537 testType: serverTest,
4538 name: "MajorVersionTolerance",
4539 config: Config{
4540 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4541 SendClientVersion: 0x0400,
4542 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4543 },
4544 },
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4545 // TLS 1.3 must be negotiated with the supported_versions
4546 // extension, not ClientHello.version.
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4547 expectedVersion: VersionTLS12,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4548 })
David Benjaminad75a662016-09-30 15:42:59 -0400[diff] [blame]4549 testCases = append(testCases, testCase{
4550 testType: serverTest,
4551 name: "VersionTolerance-TLS13",
4552 config: Config{
4553 Bugs: ProtocolBugs{
4554 // Although TLS 1.3 does not use
4555 // ClientHello.version, it still tolerates high
4556 // values there.
4557 SendClientVersion: 0x0400,
4558 },
4559 },
4560 expectedVersion: VersionTLS13,
4561 })
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4562
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4563 testCases = append(testCases, testCase{
4564 protocol: dtls,
4565 testType: serverTest,
4566 name: "MinorVersionTolerance-DTLS",
4567 config: Config{
4568 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4569 SendClientVersion: 0xfe00,
4570 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4571 },
4572 },
4573 expectedVersion: VersionTLS12,
4574 })
4575 testCases = append(testCases, testCase{
4576 protocol: dtls,
4577 testType: serverTest,
4578 name: "MajorVersionTolerance-DTLS",
4579 config: Config{
4580 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4581 SendClientVersion: 0xfdff,
4582 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4583 },
4584 },
4585 expectedVersion: VersionTLS12,
4586 })
4587
4588 // Test that versions below 3.0 are rejected.
4589 testCases = append(testCases, testCase{
4590 testType: serverTest,
4591 name: "VersionTooLow",
4592 config: Config{
4593 Bugs: ProtocolBugs{
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4594 SendClientVersion: 0x0200,
4595 OmitSupportedVersions: true,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4596 },
4597 },
4598 shouldFail: true,
4599 expectedError: ":UNSUPPORTED_PROTOCOL:",
4600 })
4601 testCases = append(testCases, testCase{
4602 protocol: dtls,
4603 testType: serverTest,
4604 name: "VersionTooLow-DTLS",
4605 config: Config{
4606 Bugs: ProtocolBugs{
David Benjamin3c6a1ea2016-09-26 18:30:05 -0400[diff] [blame]4607 SendClientVersion: 0xffff,
David Benjamin95c69562016-06-29 18:15:03 -0400[diff] [blame]4608 },
4609 },
4610 shouldFail: true,
4611 expectedError: ":UNSUPPORTED_PROTOCOL:",
4612 })
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4613
David Benjamin2dc02042016-09-19 19:57:37 -0400[diff] [blame]4614 testCases = append(testCases, testCase{
4615 name: "ServerBogusVersion",
4616 config: Config{
4617 Bugs: ProtocolBugs{
4618 SendServerHelloVersion: 0x1234,
4619 },
4620 },
4621 shouldFail: true,
4622 expectedError: ":UNSUPPORTED_PROTOCOL:",
4623 })
4624
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4625 // Test TLS 1.3's downgrade signal.
4626 testCases = append(testCases, testCase{
4627 name: "Downgrade-TLS12-Client",
4628 config: Config{
4629 Bugs: ProtocolBugs{
4630 NegotiateVersion: VersionTLS12,
4631 },
4632 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4633 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4634 // TODO(davidben): This test should fail once TLS 1.3 is final
4635 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4636 })
4637 testCases = append(testCases, testCase{
4638 testType: serverTest,
4639 name: "Downgrade-TLS12-Server",
4640 config: Config{
4641 Bugs: ProtocolBugs{
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4642 SendSupportedVersions: []uint16{VersionTLS12},
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4643 },
4644 },
David Benjamin592b5322016-09-30 15:15:01 -0400[diff] [blame]4645 expectedVersion: VersionTLS12,
David Benjamin55108632016-08-11 22:01:18 -0400[diff] [blame]4646 // TODO(davidben): This test should fail once TLS 1.3 is final
4647 // and the fallback signal restored.
David Benjamin1f61f0d2016-07-10 12:20:35 -0400[diff] [blame]4648 })
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]4649}
4650
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4651func addMinimumVersionTests() {
4652 for i, shimVers := range tlsVersions {
4653 // Assemble flags to disable all older versions on the shim.
4654 var flags []string
4655 for _, vers := range tlsVersions[:i] {
4656 flags = append(flags, vers.flag)
4657 }
4658
4659 for _, runnerVers := range tlsVersions {
4660 protocols := []protocol{tls}
4661 if runnerVers.hasDTLS && shimVers.hasDTLS {
4662 protocols = append(protocols, dtls)
4663 }
4664 for _, protocol := range protocols {
4665 suffix := shimVers.name + "-" + runnerVers.name
4666 if protocol == dtls {
4667 suffix += "-DTLS"
4668 }
4669 shimVersFlag := strconv.Itoa(int(versionToWire(shimVers.version, protocol == dtls)))
4670
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4671 var expectedVersion uint16
4672 var shouldFail bool
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4673 var expectedError, expectedLocalError string
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4674 if runnerVers.version >= shimVers.version {
4675 expectedVersion = runnerVers.version
4676 } else {
4677 shouldFail = true
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4678 expectedError = ":UNSUPPORTED_PROTOCOL:"
4679 expectedLocalError = "remote error: protocol version not supported"
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4680 }
4681
4682 testCases = append(testCases, testCase{
4683 protocol: protocol,
4684 testType: clientTest,
4685 name: "MinimumVersion-Client-" + suffix,
4686 config: Config{
4687 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4688 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4689 // Ensure the server does not decline to
4690 // select a version (versions extension) or
4691 // cipher (some ciphers depend on versions).
4692 NegotiateVersion: runnerVers.version,
4693 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4694 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4695 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4696 flags: flags,
4697 expectedVersion: expectedVersion,
4698 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4699 expectedError: expectedError,
4700 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4701 })
4702 testCases = append(testCases, testCase{
4703 protocol: protocol,
4704 testType: clientTest,
4705 name: "MinimumVersion-Client2-" + suffix,
4706 config: Config{
4707 MaxVersion: runnerVers.version,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4708 Bugs: ProtocolBugs{
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4709 // Ensure the server does not decline to
4710 // select a version (versions extension) or
4711 // cipher (some ciphers depend on versions).
4712 NegotiateVersion: runnerVers.version,
4713 IgnorePeerCipherPreferences: shouldFail,
Steven Valdezfdd10992016-09-15 16:27:05 -0400[diff] [blame]4714 },
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4715 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4716 flags: []string{"-min-version", shimVersFlag},
4717 expectedVersion: expectedVersion,
4718 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4719 expectedError: expectedError,
4720 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4721 })
4722
4723 testCases = append(testCases, testCase{
4724 protocol: protocol,
4725 testType: serverTest,
4726 name: "MinimumVersion-Server-" + suffix,
4727 config: Config{
4728 MaxVersion: runnerVers.version,
4729 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4730 flags: flags,
4731 expectedVersion: expectedVersion,
4732 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4733 expectedError: expectedError,
4734 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4735 })
4736 testCases = append(testCases, testCase{
4737 protocol: protocol,
4738 testType: serverTest,
4739 name: "MinimumVersion-Server2-" + suffix,
4740 config: Config{
4741 MaxVersion: runnerVers.version,
4742 },
David Benjamin87909c02014-12-13 01:55:01 -0500[diff] [blame]4743 flags: []string{"-min-version", shimVersFlag},
4744 expectedVersion: expectedVersion,
4745 shouldFail: shouldFail,
David Benjamin6dbde982016-10-03 19:11:14 -0400[diff] [blame]4746 expectedError: expectedError,
4747 expectedLocalError: expectedLocalError,
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]4748 })
4749 }
4750 }
4751 }
4752}
4753
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4754func addExtensionTests() {
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]4755 // TODO(davidben): Extensions, where applicable, all move their server
4756 // halves to EncryptedExtensions in TLS 1.3. Duplicate each of these
4757 // tests for both. Also test interaction with 0-RTT when implemented.
4758
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4759 // Repeat extensions tests all versions except SSL 3.0.
4760 for _, ver := range tlsVersions {
4761 if ver.version == VersionSSL30 {
4762 continue
4763 }
4764
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4765 // Test that duplicate extensions are rejected.
4766 testCases = append(testCases, testCase{
4767 testType: clientTest,
4768 name: "DuplicateExtensionClient-" + ver.name,
4769 config: Config{
4770 MaxVersion: ver.version,
4771 Bugs: ProtocolBugs{
4772 DuplicateExtension: true,
4773 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4774 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4775 shouldFail: true,
4776 expectedLocalError: "remote error: error decoding message",
4777 })
4778 testCases = append(testCases, testCase{
4779 testType: serverTest,
4780 name: "DuplicateExtensionServer-" + ver.name,
4781 config: Config{
4782 MaxVersion: ver.version,
4783 Bugs: ProtocolBugs{
4784 DuplicateExtension: true,
4785 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4786 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4787 shouldFail: true,
4788 expectedLocalError: "remote error: error decoding message",
4789 })
4790
4791 // Test SNI.
4792 testCases = append(testCases, testCase{
4793 testType: clientTest,
4794 name: "ServerNameExtensionClient-" + ver.name,
4795 config: Config{
4796 MaxVersion: ver.version,
4797 Bugs: ProtocolBugs{
4798 ExpectServerName: "example.com",
4799 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4800 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4801 flags: []string{"-host-name", "example.com"},
4802 })
4803 testCases = append(testCases, testCase{
4804 testType: clientTest,
4805 name: "ServerNameExtensionClientMismatch-" + ver.name,
4806 config: Config{
4807 MaxVersion: ver.version,
4808 Bugs: ProtocolBugs{
4809 ExpectServerName: "mismatch.com",
4810 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4811 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4812 flags: []string{"-host-name", "example.com"},
4813 shouldFail: true,
4814 expectedLocalError: "tls: unexpected server name",
4815 })
4816 testCases = append(testCases, testCase{
4817 testType: clientTest,
4818 name: "ServerNameExtensionClientMissing-" + ver.name,
4819 config: Config{
4820 MaxVersion: ver.version,
4821 Bugs: ProtocolBugs{
4822 ExpectServerName: "missing.com",
4823 },
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]4824 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4825 shouldFail: true,
4826 expectedLocalError: "tls: unexpected server name",
4827 })
4828 testCases = append(testCases, testCase{
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]4829 testType: clientTest,
4830 name: "TolerateServerNameAck-" + ver.name,
4831 config: Config{
4832 MaxVersion: ver.version,
4833 Bugs: ProtocolBugs{
4834 SendServerNameAck: true,
4835 },
4836 },
4837 flags: []string{"-host-name", "example.com"},
4838 resumeSession: true,
4839 })
4840 testCases = append(testCases, testCase{
4841 testType: clientTest,
4842 name: "UnsolicitedServerNameAck-" + ver.name,
4843 config: Config{
4844 MaxVersion: ver.version,
4845 Bugs: ProtocolBugs{
4846 SendServerNameAck: true,
4847 },
4848 },
4849 shouldFail: true,
4850 expectedError: ":UNEXPECTED_EXTENSION:",
4851 expectedLocalError: "remote error: unsupported extension",
4852 })
4853 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4854 testType: serverTest,
4855 name: "ServerNameExtensionServer-" + ver.name,
4856 config: Config{
4857 MaxVersion: ver.version,
4858 ServerName: "example.com",
David Benjaminfc7b0862014-09-06 13:21:53 -0400[diff] [blame]4859 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4860 flags: []string{"-expect-server-name", "example.com"},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4861 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4862 })
4863
4864 // Test ALPN.
4865 testCases = append(testCases, testCase{
4866 testType: clientTest,
4867 name: "ALPNClient-" + ver.name,
4868 config: Config{
4869 MaxVersion: ver.version,
4870 NextProtos: []string{"foo"},
4871 },
4872 flags: []string{
4873 "-advertise-alpn", "\x03foo\x03bar\x03baz",
4874 "-expect-alpn", "foo",
4875 },
4876 expectedNextProto: "foo",
4877 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4878 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4879 })
4880 testCases = append(testCases, testCase{
David Benjamin3e517572016-08-11 11:52:23 -0400[diff] [blame]4881 testType: clientTest,
4882 name: "ALPNClient-Mismatch-" + ver.name,
4883 config: Config{
4884 MaxVersion: ver.version,
4885 Bugs: ProtocolBugs{
4886 SendALPN: "baz",
4887 },
4888 },
4889 flags: []string{
4890 "-advertise-alpn", "\x03foo\x03bar",
4891 },
4892 shouldFail: true,
4893 expectedError: ":INVALID_ALPN_PROTOCOL:",
4894 expectedLocalError: "remote error: illegal parameter",
4895 })
4896 testCases = append(testCases, testCase{
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4897 testType: serverTest,
4898 name: "ALPNServer-" + ver.name,
4899 config: Config{
4900 MaxVersion: ver.version,
4901 NextProtos: []string{"foo", "bar", "baz"},
4902 },
4903 flags: []string{
4904 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4905 "-select-alpn", "foo",
4906 },
4907 expectedNextProto: "foo",
4908 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4909 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4910 })
4911 testCases = append(testCases, testCase{
4912 testType: serverTest,
4913 name: "ALPNServer-Decline-" + ver.name,
4914 config: Config{
4915 MaxVersion: ver.version,
4916 NextProtos: []string{"foo", "bar", "baz"},
4917 },
4918 flags: []string{"-decline-alpn"},
4919 expectNoNextProto: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4920 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4921 })
4922
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4923 // Test ALPN in async mode as well to ensure that extensions callbacks are only
4924 // called once.
4925 testCases = append(testCases, testCase{
4926 testType: serverTest,
4927 name: "ALPNServer-Async-" + ver.name,
4928 config: Config{
4929 MaxVersion: ver.version,
4930 NextProtos: []string{"foo", "bar", "baz"},
David Benjamin4eb95cc2016-11-16 17:08:23 +0900[diff] [blame]4931 // Prior to TLS 1.3, exercise the asynchronous session callback.
4932 SessionTicketsDisabled: ver.version < VersionTLS13,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4933 },
4934 flags: []string{
4935 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4936 "-select-alpn", "foo",
4937 "-async",
4938 },
4939 expectedNextProto: "foo",
4940 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4941 resumeSession: true,
David Benjamin25fe85b2016-08-09 20:00:32 -0400[diff] [blame]4942 })
4943
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4944 var emptyString string
4945 testCases = append(testCases, testCase{
4946 testType: clientTest,
4947 name: "ALPNClient-EmptyProtocolName-" + ver.name,
4948 config: Config{
4949 MaxVersion: ver.version,
4950 NextProtos: []string{""},
4951 Bugs: ProtocolBugs{
4952 // A server returning an empty ALPN protocol
4953 // should be rejected.
4954 ALPNProtocol: &emptyString,
4955 },
4956 },
4957 flags: []string{
4958 "-advertise-alpn", "\x03foo",
4959 },
4960 shouldFail: true,
4961 expectedError: ":PARSE_TLSEXT:",
4962 })
4963 testCases = append(testCases, testCase{
4964 testType: serverTest,
4965 name: "ALPNServer-EmptyProtocolName-" + ver.name,
4966 config: Config{
4967 MaxVersion: ver.version,
4968 // A ClientHello containing an empty ALPN protocol
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4969 // should be rejected.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4970 NextProtos: []string{"foo", "", "baz"},
Adam Langleyefb0e162015-07-09 11:35:04 -0700[diff] [blame]4971 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4972 flags: []string{
4973 "-select-alpn", "foo",
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]4974 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4975 shouldFail: true,
4976 expectedError: ":PARSE_TLSEXT:",
4977 })
4978
4979 // Test NPN and the interaction with ALPN.
4980 if ver.version < VersionTLS13 {
4981 // Test that the server prefers ALPN over NPN.
4982 testCases = append(testCases, testCase{
4983 testType: serverTest,
4984 name: "ALPNServer-Preferred-" + ver.name,
4985 config: Config{
4986 MaxVersion: ver.version,
4987 NextProtos: []string{"foo", "bar", "baz"},
4988 },
4989 flags: []string{
4990 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
4991 "-select-alpn", "foo",
4992 "-advertise-npn", "\x03foo\x03bar\x03baz",
4993 },
4994 expectedNextProto: "foo",
4995 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]4996 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]4997 })
4998 testCases = append(testCases, testCase{
4999 testType: serverTest,
5000 name: "ALPNServer-Preferred-Swapped-" + ver.name,
5001 config: Config{
5002 MaxVersion: ver.version,
5003 NextProtos: []string{"foo", "bar", "baz"},
5004 Bugs: ProtocolBugs{
5005 SwapNPNAndALPN: true,
5006 },
5007 },
5008 flags: []string{
5009 "-expect-advertised-alpn", "\x03foo\x03bar\x03baz",
5010 "-select-alpn", "foo",
5011 "-advertise-npn", "\x03foo\x03bar\x03baz",
5012 },
5013 expectedNextProto: "foo",
5014 expectedNextProtoType: alpn,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5015 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5016 })
5017
5018 // Test that negotiating both NPN and ALPN is forbidden.
5019 testCases = append(testCases, testCase{
5020 name: "NegotiateALPNAndNPN-" + ver.name,
5021 config: Config{
5022 MaxVersion: ver.version,
5023 NextProtos: []string{"foo", "bar", "baz"},
5024 Bugs: ProtocolBugs{
5025 NegotiateALPNAndNPN: true,
5026 },
5027 },
5028 flags: []string{
5029 "-advertise-alpn", "\x03foo",
5030 "-select-next-proto", "foo",
5031 },
5032 shouldFail: true,
5033 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5034 })
5035 testCases = append(testCases, testCase{
5036 name: "NegotiateALPNAndNPN-Swapped-" + ver.name,
5037 config: Config{
5038 MaxVersion: ver.version,
5039 NextProtos: []string{"foo", "bar", "baz"},
5040 Bugs: ProtocolBugs{
5041 NegotiateALPNAndNPN: true,
5042 SwapNPNAndALPN: true,
5043 },
5044 },
5045 flags: []string{
5046 "-advertise-alpn", "\x03foo",
5047 "-select-next-proto", "foo",
5048 },
5049 shouldFail: true,
5050 expectedError: ":NEGOTIATED_BOTH_NPN_AND_ALPN:",
5051 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5052 }
5053
5054 // Test ticket behavior.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5055
5056 // Resume with a corrupt ticket.
5057 testCases = append(testCases, testCase{
5058 testType: serverTest,
5059 name: "CorruptTicket-" + ver.name,
5060 config: Config{
5061 MaxVersion: ver.version,
5062 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5063 FilterTicket: func(in []byte) ([]byte, error) {
5064 in[len(in)-1] ^= 1
5065 return in, nil
5066 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5067 },
5068 },
5069 resumeSession: true,
5070 expectResumeRejected: true,
5071 })
5072 // Test the ticket callback, with and without renewal.
5073 testCases = append(testCases, testCase{
5074 testType: serverTest,
5075 name: "TicketCallback-" + ver.name,
5076 config: Config{
5077 MaxVersion: ver.version,
5078 },
5079 resumeSession: true,
5080 flags: []string{"-use-ticket-callback"},
5081 })
5082 testCases = append(testCases, testCase{
5083 testType: serverTest,
5084 name: "TicketCallback-Renew-" + ver.name,
5085 config: Config{
5086 MaxVersion: ver.version,
5087 Bugs: ProtocolBugs{
5088 ExpectNewTicket: true,
5089 },
5090 },
5091 flags: []string{"-use-ticket-callback", "-renew-ticket"},
5092 resumeSession: true,
5093 })
5094
5095 // Test that the ticket callback is only called once when everything before
5096 // it in the ClientHello is asynchronous. This corrupts the ticket so
5097 // certificate selection callbacks run.
5098 testCases = append(testCases, testCase{
5099 testType: serverTest,
5100 name: "TicketCallback-SingleCall-" + ver.name,
5101 config: Config{
5102 MaxVersion: ver.version,
5103 Bugs: ProtocolBugs{
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5104 FilterTicket: func(in []byte) ([]byte, error) {
5105 in[len(in)-1] ^= 1
5106 return in, nil
5107 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5108 },
5109 },
5110 resumeSession: true,
5111 expectResumeRejected: true,
5112 flags: []string{
5113 "-use-ticket-callback",
5114 "-async",
5115 },
5116 })
5117
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5118 // Resume with various lengths of ticket session id.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5119 if ver.version < VersionTLS13 {
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5120 testCases = append(testCases, testCase{
5121 testType: serverTest,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5122 name: "TicketSessionIDLength-0-" + ver.name,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5123 config: Config{
5124 MaxVersion: ver.version,
5125 Bugs: ProtocolBugs{
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5126 EmptyTicketSessionID: true,
5127 },
5128 },
5129 resumeSession: true,
5130 })
5131 testCases = append(testCases, testCase{
5132 testType: serverTest,
5133 name: "TicketSessionIDLength-16-" + ver.name,
5134 config: Config{
5135 MaxVersion: ver.version,
5136 Bugs: ProtocolBugs{
5137 TicketSessionIDLength: 16,
5138 },
5139 },
5140 resumeSession: true,
5141 })
5142 testCases = append(testCases, testCase{
5143 testType: serverTest,
5144 name: "TicketSessionIDLength-32-" + ver.name,
5145 config: Config{
5146 MaxVersion: ver.version,
5147 Bugs: ProtocolBugs{
5148 TicketSessionIDLength: 32,
5149 },
5150 },
5151 resumeSession: true,
5152 })
5153 testCases = append(testCases, testCase{
5154 testType: serverTest,
5155 name: "TicketSessionIDLength-33-" + ver.name,
5156 config: Config{
5157 MaxVersion: ver.version,
5158 Bugs: ProtocolBugs{
5159 TicketSessionIDLength: 33,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5160 },
5161 },
5162 resumeSession: true,
5163 shouldFail: true,
David Benjamind4c349b2017-02-09 14:07:17 -0500[diff] [blame]5164 // The maximum session ID length is 32.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5165 expectedError: ":DECODE_ERROR:",
5166 })
5167 }
5168
5169 // Basic DTLS-SRTP tests. Include fake profiles to ensure they
5170 // are ignored.
5171 if ver.hasDTLS {
5172 testCases = append(testCases, testCase{
5173 protocol: dtls,
5174 name: "SRTP-Client-" + ver.name,
5175 config: Config{
5176 MaxVersion: ver.version,
5177 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5178 },
5179 flags: []string{
5180 "-srtp-profiles",
5181 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5182 },
5183 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5184 })
5185 testCases = append(testCases, testCase{
5186 protocol: dtls,
5187 testType: serverTest,
5188 name: "SRTP-Server-" + ver.name,
5189 config: Config{
5190 MaxVersion: ver.version,
5191 SRTPProtectionProfiles: []uint16{40, SRTP_AES128_CM_HMAC_SHA1_80, 42},
5192 },
5193 flags: []string{
5194 "-srtp-profiles",
5195 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5196 },
5197 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5198 })
5199 // Test that the MKI is ignored.
5200 testCases = append(testCases, testCase{
5201 protocol: dtls,
5202 testType: serverTest,
5203 name: "SRTP-Server-IgnoreMKI-" + ver.name,
5204 config: Config{
5205 MaxVersion: ver.version,
5206 SRTPProtectionProfiles: []uint16{SRTP_AES128_CM_HMAC_SHA1_80},
5207 Bugs: ProtocolBugs{
5208 SRTPMasterKeyIdentifer: "bogus",
5209 },
5210 },
5211 flags: []string{
5212 "-srtp-profiles",
5213 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5214 },
5215 expectedSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_80,
5216 })
5217 // Test that SRTP isn't negotiated on the server if there were
5218 // no matching profiles.
5219 testCases = append(testCases, testCase{
5220 protocol: dtls,
5221 testType: serverTest,
5222 name: "SRTP-Server-NoMatch-" + ver.name,
5223 config: Config{
5224 MaxVersion: ver.version,
5225 SRTPProtectionProfiles: []uint16{100, 101, 102},
5226 },
5227 flags: []string{
5228 "-srtp-profiles",
5229 "SRTP_AES128_CM_SHA1_80:SRTP_AES128_CM_SHA1_32",
5230 },
5231 expectedSRTPProtectionProfile: 0,
5232 })
5233 // Test that the server returning an invalid SRTP profile is
5234 // flagged as an error by the client.
5235 testCases = append(testCases, testCase{
5236 protocol: dtls,
5237 name: "SRTP-Client-NoMatch-" + ver.name,
5238 config: Config{
5239 MaxVersion: ver.version,
5240 Bugs: ProtocolBugs{
5241 SendSRTPProtectionProfile: SRTP_AES128_CM_HMAC_SHA1_32,
5242 },
5243 },
5244 flags: []string{
5245 "-srtp-profiles",
5246 "SRTP_AES128_CM_SHA1_80",
5247 },
5248 shouldFail: true,
5249 expectedError: ":BAD_SRTP_PROTECTION_PROFILE_LIST:",
5250 })
5251 }
5252
5253 // Test SCT list.
5254 testCases = append(testCases, testCase{
5255 name: "SignedCertificateTimestampList-Client-" + ver.name,
5256 testType: clientTest,
5257 config: Config{
5258 MaxVersion: ver.version,
David Benjamin76c2efc2015-08-31 14:24:29 -0400[diff] [blame]5259 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5260 flags: []string{
5261 "-enable-signed-cert-timestamps",
5262 "-expect-signed-cert-timestamps",
5263 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5264 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5265 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5266 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5267
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5268 var differentSCTList []byte
5269 differentSCTList = append(differentSCTList, testSCTList...)
5270 differentSCTList[len(differentSCTList)-1] ^= 1
5271
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5272 // The SCT extension did not specify that it must only be sent on resumption as it
5273 // should have, so test that we tolerate but ignore it.
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5274 testCases = append(testCases, testCase{
5275 name: "SendSCTListOnResume-" + ver.name,
5276 config: Config{
5277 MaxVersion: ver.version,
5278 Bugs: ProtocolBugs{
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5279 SendSCTListOnResume: differentSCTList,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5280 },
David Benjamind98452d2015-06-16 14:16:23 -0400[diff] [blame]5281 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5282 flags: []string{
5283 "-enable-signed-cert-timestamps",
5284 "-expect-signed-cert-timestamps",
5285 base64.StdEncoding.EncodeToString(testSCTList),
Adam Langley38311732014-10-16 19:04:35 -0700[diff] [blame]5286 },
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5287 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5288 })
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5289
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5290 testCases = append(testCases, testCase{
5291 name: "SignedCertificateTimestampList-Server-" + ver.name,
5292 testType: serverTest,
5293 config: Config{
5294 MaxVersion: ver.version,
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5295 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5296 flags: []string{
5297 "-signed-cert-timestamps",
5298 base64.StdEncoding.EncodeToString(testSCTList),
David Benjaminca6c8262014-11-15 19:06:08 -0500[diff] [blame]5299 },
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5300 expectedSCTList: testSCTList,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5301 resumeSession: true,
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5302 })
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5303
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5304 emptySCTListCert := *testCerts[0].cert
5305 emptySCTListCert.SignedCertificateTimestampList = []byte{0, 0}
5306
5307 // Test empty SCT list.
5308 testCases = append(testCases, testCase{
5309 name: "SignedCertificateTimestampListEmpty-Client-" + ver.name,
5310 testType: clientTest,
5311 config: Config{
5312 MaxVersion: ver.version,
5313 Certificates: []Certificate{emptySCTListCert},
5314 },
5315 flags: []string{
5316 "-enable-signed-cert-timestamps",
5317 },
5318 shouldFail: true,
5319 expectedError: ":ERROR_PARSING_EXTENSION:",
5320 })
5321
5322 emptySCTCert := *testCerts[0].cert
5323 emptySCTCert.SignedCertificateTimestampList = []byte{0, 6, 0, 2, 1, 2, 0, 0}
5324
5325 // Test empty SCT in non-empty list.
5326 testCases = append(testCases, testCase{
5327 name: "SignedCertificateTimestampListEmptySCT-Client-" + ver.name,
5328 testType: clientTest,
5329 config: Config{
5330 MaxVersion: ver.version,
5331 Certificates: []Certificate{emptySCTCert},
5332 },
5333 flags: []string{
5334 "-enable-signed-cert-timestamps",
5335 },
5336 shouldFail: true,
5337 expectedError: ":ERROR_PARSING_EXTENSION:",
5338 })
5339
David Benjamin53210cb2016-11-16 09:01:48 +0900[diff] [blame]5340 // Test that certificate-related extensions are not sent unsolicited.
5341 testCases = append(testCases, testCase{
5342 testType: serverTest,
5343 name: "UnsolicitedCertificateExtensions-" + ver.name,
5344 config: Config{
5345 MaxVersion: ver.version,
5346 Bugs: ProtocolBugs{
5347 NoOCSPStapling: true,
5348 NoSignedCertificateTimestamps: true,
5349 },
5350 },
5351 flags: []string{
5352 "-ocsp-response",
5353 base64.StdEncoding.EncodeToString(testOCSPResponse),
5354 "-signed-cert-timestamps",
5355 base64.StdEncoding.EncodeToString(testSCTList),
5356 },
5357 })
David Benjamin97d17d92016-07-14 16:12:00 -0400[diff] [blame]5358 }
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]5359
Paul Lietar4fac72e2015-09-09 13:44:55 +0100[diff] [blame]5360 testCases = append(testCases, testCase{
Adam Langley33ad2b52015-07-20 17:43:53 -0700[diff] [blame]5361 testType: clientTest,
5362 name: "ClientHelloPadding",
5363 config: Config{
5364 Bugs: ProtocolBugs{
5365 RequireClientHelloSize: 512,
5366 },
5367 },
5368 // This hostname just needs to be long enough to push the
5369 // ClientHello into F5's danger zone between 256 and 511 bytes
5370 // long.
5371 flags: []string{"-host-name", "01234567890123456789012345678901234567890123456789012345678901234567890123456789.com"},
5372 })
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5373
5374 // Extensions should not function in SSL 3.0.
5375 testCases = append(testCases, testCase{
5376 testType: serverTest,
5377 name: "SSLv3Extensions-NoALPN",
5378 config: Config{
5379 MaxVersion: VersionSSL30,
5380 NextProtos: []string{"foo", "bar", "baz"},
5381 },
5382 flags: []string{
5383 "-select-alpn", "foo",
5384 },
5385 expectNoNextProto: true,
5386 })
5387
5388 // Test session tickets separately as they follow a different codepath.
5389 testCases = append(testCases, testCase{
5390 testType: serverTest,
5391 name: "SSLv3Extensions-NoTickets",
5392 config: Config{
5393 MaxVersion: VersionSSL30,
5394 Bugs: ProtocolBugs{
5395 // Historically, session tickets in SSL 3.0
5396 // failed in different ways depending on whether
5397 // the client supported renegotiation_info.
5398 NoRenegotiationInfo: true,
5399 },
5400 },
5401 resumeSession: true,
5402 })
5403 testCases = append(testCases, testCase{
5404 testType: serverTest,
5405 name: "SSLv3Extensions-NoTickets2",
5406 config: Config{
5407 MaxVersion: VersionSSL30,
5408 },
5409 resumeSession: true,
5410 })
5411
5412 // But SSL 3.0 does send and process renegotiation_info.
5413 testCases = append(testCases, testCase{
5414 testType: serverTest,
5415 name: "SSLv3Extensions-RenegotiationInfo",
5416 config: Config{
5417 MaxVersion: VersionSSL30,
5418 Bugs: ProtocolBugs{
5419 RequireRenegotiationInfo: true,
5420 },
5421 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5422 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5423 })
5424 testCases = append(testCases, testCase{
5425 testType: serverTest,
5426 name: "SSLv3Extensions-RenegotiationInfo-SCSV",
5427 config: Config{
5428 MaxVersion: VersionSSL30,
5429 Bugs: ProtocolBugs{
5430 NoRenegotiationInfo: true,
5431 SendRenegotiationSCSV: true,
5432 RequireRenegotiationInfo: true,
5433 },
5434 },
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]5435 flags: []string{"-expect-secure-renegotiation"},
David Benjaminc7ce9772015-10-09 19:32:41 -0400[diff] [blame]5436 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5437
5438 // Test that illegal extensions in TLS 1.3 are rejected by the client if
5439 // in ServerHello.
5440 testCases = append(testCases, testCase{
5441 name: "NPN-Forbidden-TLS13",
5442 config: Config{
5443 MaxVersion: VersionTLS13,
5444 NextProtos: []string{"foo"},
5445 Bugs: ProtocolBugs{
5446 NegotiateNPNAtAllVersions: true,
5447 },
5448 },
5449 flags: []string{"-select-next-proto", "foo"},
5450 shouldFail: true,
5451 expectedError: ":ERROR_PARSING_EXTENSION:",
5452 })
5453 testCases = append(testCases, testCase{
5454 name: "EMS-Forbidden-TLS13",
5455 config: Config{
5456 MaxVersion: VersionTLS13,
5457 Bugs: ProtocolBugs{
5458 NegotiateEMSAtAllVersions: true,
5459 },
5460 },
5461 shouldFail: true,
5462 expectedError: ":ERROR_PARSING_EXTENSION:",
5463 })
5464 testCases = append(testCases, testCase{
5465 name: "RenegotiationInfo-Forbidden-TLS13",
5466 config: Config{
5467 MaxVersion: VersionTLS13,
5468 Bugs: ProtocolBugs{
5469 NegotiateRenegotiationInfoAtAllVersions: true,
5470 },
5471 },
5472 shouldFail: true,
5473 expectedError: ":ERROR_PARSING_EXTENSION:",
5474 })
5475 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5476 name: "Ticket-Forbidden-TLS13",
5477 config: Config{
5478 MaxVersion: VersionTLS12,
5479 },
5480 resumeConfig: &Config{
5481 MaxVersion: VersionTLS13,
5482 Bugs: ProtocolBugs{
5483 AdvertiseTicketExtension: true,
5484 },
5485 },
5486 resumeSession: true,
5487 shouldFail: true,
5488 expectedError: ":ERROR_PARSING_EXTENSION:",
5489 })
5490
5491 // Test that illegal extensions in TLS 1.3 are declined by the server if
5492 // offered in ClientHello. The runner's server will fail if this occurs,
5493 // so we exercise the offering path. (EMS and Renegotiation Info are
5494 // implicit in every test.)
5495 testCases = append(testCases, testCase{
5496 testType: serverTest,
David Benjamin73647192016-09-22 16:24:04 -0400[diff] [blame]5497 name: "NPN-Declined-TLS13",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]5498 config: Config{
5499 MaxVersion: VersionTLS13,
5500 NextProtos: []string{"bar"},
5501 },
5502 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
5503 })
David Benjamin196df5b2016-09-21 16:23:27 -0400[diff] [blame]5504
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5505 // OpenSSL sends the status_request extension on resumption in TLS 1.2. Test that this is
5506 // tolerated.
5507 testCases = append(testCases, testCase{
5508 name: "SendOCSPResponseOnResume-TLS12",
5509 config: Config{
5510 MaxVersion: VersionTLS12,
5511 Bugs: ProtocolBugs{
5512 SendOCSPResponseOnResume: []byte("bogus"),
5513 },
5514 },
5515 flags: []string{
5516 "-enable-ocsp-stapling",
5517 "-expect-ocsp-response",
5518 base64.StdEncoding.EncodeToString(testOCSPResponse),
5519 },
5520 resumeSession: true,
5521 })
5522
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5523 testCases = append(testCases, testCase{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5524 name: "SendUnsolicitedOCSPOnCertificate-TLS13",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5525 config: Config{
5526 MaxVersion: VersionTLS13,
5527 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5528 SendExtensionOnCertificate: testOCSPExtension,
5529 },
5530 },
5531 shouldFail: true,
5532 expectedError: ":UNEXPECTED_EXTENSION:",
5533 })
5534
5535 testCases = append(testCases, testCase{
5536 name: "SendUnsolicitedSCTOnCertificate-TLS13",
5537 config: Config{
5538 MaxVersion: VersionTLS13,
5539 Bugs: ProtocolBugs{
5540 SendExtensionOnCertificate: testSCTExtension,
5541 },
5542 },
5543 shouldFail: true,
5544 expectedError: ":UNEXPECTED_EXTENSION:",
5545 })
5546
5547 // Test that extensions on client certificates are never accepted.
5548 testCases = append(testCases, testCase{
5549 name: "SendExtensionOnClientCertificate-TLS13",
5550 testType: serverTest,
5551 config: Config{
5552 MaxVersion: VersionTLS13,
5553 Certificates: []Certificate{rsaCertificate},
5554 Bugs: ProtocolBugs{
5555 SendExtensionOnCertificate: testOCSPExtension,
5556 },
5557 },
5558 flags: []string{
5559 "-enable-ocsp-stapling",
5560 "-require-any-client-certificate",
5561 },
5562 shouldFail: true,
5563 expectedError: ":UNEXPECTED_EXTENSION:",
5564 })
5565
5566 testCases = append(testCases, testCase{
5567 name: "SendUnknownExtensionOnCertificate-TLS13",
5568 config: Config{
5569 MaxVersion: VersionTLS13,
5570 Bugs: ProtocolBugs{
5571 SendExtensionOnCertificate: []byte{0x00, 0x7f, 0, 0},
5572 },
5573 },
5574 shouldFail: true,
5575 expectedError: ":UNEXPECTED_EXTENSION:",
5576 })
5577
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5578 var differentSCTList []byte
5579 differentSCTList = append(differentSCTList, testSCTList...)
5580 differentSCTList[len(differentSCTList)-1] ^= 1
5581
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5582 // Test that extensions on intermediates are allowed but ignored.
5583 testCases = append(testCases, testCase{
5584 name: "IgnoreExtensionsOnIntermediates-TLS13",
5585 config: Config{
5586 MaxVersion: VersionTLS13,
5587 Certificates: []Certificate{rsaChainCertificate},
5588 Bugs: ProtocolBugs{
5589 // Send different values on the intermediate. This tests
5590 // the intermediate's extensions do not override the
5591 // leaf's.
5592 SendOCSPOnIntermediates: []byte{1, 3, 3, 7},
Adam Langleycfa08c32016-11-17 13:21:27 -0800[diff] [blame]5593 SendSCTOnIntermediates: differentSCTList,
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5594 },
5595 },
5596 flags: []string{
5597 "-enable-ocsp-stapling",
5598 "-expect-ocsp-response",
5599 base64.StdEncoding.EncodeToString(testOCSPResponse),
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5600 "-enable-signed-cert-timestamps",
5601 "-expect-signed-cert-timestamps",
5602 base64.StdEncoding.EncodeToString(testSCTList),
5603 },
5604 resumeSession: true,
5605 })
5606
5607 // Test that extensions are not sent on intermediates when configured
5608 // only for a leaf.
5609 testCases = append(testCases, testCase{
5610 testType: serverTest,
5611 name: "SendNoExtensionsOnIntermediate-TLS13",
5612 config: Config{
5613 MaxVersion: VersionTLS13,
5614 Bugs: ProtocolBugs{
5615 ExpectNoExtensionsOnIntermediate: true,
5616 },
5617 },
5618 flags: []string{
5619 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
5620 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
5621 "-ocsp-response",
5622 base64.StdEncoding.EncodeToString(testOCSPResponse),
5623 "-signed-cert-timestamps",
5624 base64.StdEncoding.EncodeToString(testSCTList),
5625 },
5626 })
5627
5628 // Test that extensions are not sent on client certificates.
5629 testCases = append(testCases, testCase{
5630 name: "SendNoClientCertificateExtensions-TLS13",
5631 config: Config{
5632 MaxVersion: VersionTLS13,
5633 ClientAuth: RequireAnyClientCert,
5634 },
5635 flags: []string{
5636 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
5637 "-key-file", path.Join(*resourceDir, rsaKeyFile),
5638 "-ocsp-response",
5639 base64.StdEncoding.EncodeToString(testOCSPResponse),
5640 "-signed-cert-timestamps",
5641 base64.StdEncoding.EncodeToString(testSCTList),
5642 },
5643 })
5644
5645 testCases = append(testCases, testCase{
5646 name: "SendDuplicateExtensionsOnCerts-TLS13",
5647 config: Config{
5648 MaxVersion: VersionTLS13,
5649 Bugs: ProtocolBugs{
5650 SendDuplicateCertExtensions: true,
5651 },
5652 },
5653 flags: []string{
5654 "-enable-ocsp-stapling",
5655 "-enable-signed-cert-timestamps",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5656 },
5657 resumeSession: true,
5658 shouldFail: true,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]5659 expectedError: ":DUPLICATE_EXTENSION:",
David Benjamindaa88502016-10-04 16:32:16 -0400[diff] [blame]5660 })
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5661
5662 testCases = append(testCases, testCase{
5663 name: "SignedCertificateTimestampListInvalid-Server",
5664 testType: serverTest,
5665 flags: []string{
5666 "-signed-cert-timestamps",
5667 base64.StdEncoding.EncodeToString([]byte{0, 0}),
5668 },
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]5669 shouldFail: true,
Adam Langley9b885c52016-11-18 14:21:03 -0800[diff] [blame]5670 expectedError: ":INVALID_SCT_LIST:",
5671 })
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]5672}
5673
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5674func addResumptionVersionTests() {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5675 for _, sessionVers := range tlsVersions {
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5676 for _, resumeVers := range tlsVersions {
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5677 // SSL 3.0 does not have tickets and TLS 1.3 does not
5678 // have session IDs, so skip their cross-resumption
5679 // tests.
5680 if (sessionVers.version >= VersionTLS13 && resumeVers.version == VersionSSL30) ||
5681 (resumeVers.version >= VersionTLS13 && sessionVers.version == VersionSSL30) {
5682 continue
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]5683 }
5684
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5685 protocols := []protocol{tls}
5686 if sessionVers.hasDTLS && resumeVers.hasDTLS {
5687 protocols = append(protocols, dtls)
David Benjaminbdf5e722014-11-11 00:52:15 -0500[diff] [blame]5688 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5689 for _, protocol := range protocols {
5690 suffix := "-" + sessionVers.name + "-" + resumeVers.name
5691 if protocol == dtls {
5692 suffix += "-DTLS"
5693 }
5694
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5695 if sessionVers.version == resumeVers.version {
5696 testCases = append(testCases, testCase{
5697 protocol: protocol,
5698 name: "Resume-Client" + suffix,
5699 resumeSession: true,
5700 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5701 MaxVersion: sessionVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5702 Bugs: ProtocolBugs{
5703 ExpectNoTLS12Session: sessionVers.version >= VersionTLS13,
5704 ExpectNoTLS13PSK: sessionVers.version < VersionTLS13,
5705 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5706 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5707 expectedVersion: sessionVers.version,
5708 expectedResumeVersion: resumeVers.version,
5709 })
5710 } else {
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5711 error := ":OLD_SESSION_VERSION_NOT_RETURNED:"
5712
5713 // Offering a TLS 1.3 session sends an empty session ID, so
5714 // there is no way to convince a non-lookahead client the
5715 // session was resumed. It will appear to the client that a
5716 // stray ChangeCipherSpec was sent.
5717 if resumeVers.version < VersionTLS13 && sessionVers.version >= VersionTLS13 {
5718 error = ":UNEXPECTED_RECORD:"
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5719 }
5720
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5721 testCases = append(testCases, testCase{
5722 protocol: protocol,
5723 name: "Resume-Client-Mismatch" + suffix,
5724 resumeSession: true,
5725 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5726 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5727 },
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5728 expectedVersion: sessionVers.version,
5729 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5730 MaxVersion: resumeVers.version,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5731 Bugs: ProtocolBugs{
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5732 AcceptAnySession: true,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5733 },
5734 },
5735 expectedResumeVersion: resumeVers.version,
5736 shouldFail: true,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]5737 expectedError: error,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5738 })
5739 }
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5740
5741 testCases = append(testCases, testCase{
5742 protocol: protocol,
5743 name: "Resume-Client-NoResume" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5744 resumeSession: true,
5745 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5746 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5747 },
5748 expectedVersion: sessionVers.version,
5749 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5750 MaxVersion: resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5751 },
5752 newSessionsOnResume: true,
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5753 expectResumeRejected: true,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5754 expectedResumeVersion: resumeVers.version,
5755 })
5756
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5757 testCases = append(testCases, testCase{
5758 protocol: protocol,
5759 testType: serverTest,
5760 name: "Resume-Server" + suffix,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5761 resumeSession: true,
5762 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5763 MaxVersion: sessionVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5764 },
Adam Langleyb0eef0a2015-06-02 10:47:39 -0700[diff] [blame]5765 expectedVersion: sessionVers.version,
5766 expectResumeRejected: sessionVers.version != resumeVers.version,
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5767 resumeConfig: &Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]5768 MaxVersion: resumeVers.version,
David Benjamin405da482016-08-08 17:25:07 -0400[diff] [blame]5769 Bugs: ProtocolBugs{
5770 SendBothTickets: true,
5771 },
David Benjamin8b8c0062014-11-23 02:47:52 -0500[diff] [blame]5772 },
5773 expectedResumeVersion: resumeVers.version,
5774 })
5775 }
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]5776 }
5777 }
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5778
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5779 // Make sure shim ticket mutations are functional.
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5780 testCases = append(testCases, testCase{
5781 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5782 name: "ShimTicketRewritable",
5783 resumeSession: true,
5784 config: Config{
5785 MaxVersion: VersionTLS12,
5786 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5787 Bugs: ProtocolBugs{
5788 FilterTicket: func(in []byte) ([]byte, error) {
5789 in, err := SetShimTicketVersion(in, VersionTLS12)
5790 if err != nil {
5791 return nil, err
5792 }
5793 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5794 },
5795 },
5796 },
5797 flags: []string{
5798 "-ticket-key",
5799 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5800 },
5801 })
5802
5803 // Resumptions are declined if the version does not match.
5804 testCases = append(testCases, testCase{
5805 testType: serverTest,
5806 name: "Resume-Server-DeclineCrossVersion",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5807 resumeSession: true,
5808 config: Config{
5809 MaxVersion: VersionTLS12,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5810 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5811 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5812 FilterTicket: func(in []byte) ([]byte, error) {
5813 return SetShimTicketVersion(in, VersionTLS13)
5814 },
5815 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5816 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5817 flags: []string{
5818 "-ticket-key",
5819 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5820 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5821 expectResumeRejected: true,
5822 })
5823
5824 testCases = append(testCases, testCase{
5825 testType: serverTest,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5826 name: "Resume-Server-DeclineCrossVersion-TLS13",
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5827 resumeSession: true,
5828 config: Config{
5829 MaxVersion: VersionTLS13,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5830 Bugs: ProtocolBugs{
5831 FilterTicket: func(in []byte) ([]byte, error) {
5832 return SetShimTicketVersion(in, VersionTLS12)
5833 },
5834 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5835 },
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5836 flags: []string{
5837 "-ticket-key",
5838 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5839 },
Steven Valdezb6b6ff32016-10-26 11:56:35 -0400[diff] [blame]5840 expectResumeRejected: true,
5841 })
5842
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5843 // Resumptions are declined if the cipher is invalid or disabled.
5844 testCases = append(testCases, testCase{
5845 testType: serverTest,
5846 name: "Resume-Server-DeclineBadCipher",
5847 resumeSession: true,
5848 config: Config{
5849 MaxVersion: VersionTLS12,
5850 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5851 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5852 FilterTicket: func(in []byte) ([]byte, error) {
5853 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5854 },
5855 },
5856 },
5857 flags: []string{
5858 "-ticket-key",
5859 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5860 },
5861 expectResumeRejected: true,
5862 })
5863
5864 testCases = append(testCases, testCase{
5865 testType: serverTest,
5866 name: "Resume-Server-DeclineBadCipher-2",
5867 resumeSession: true,
5868 config: Config{
5869 MaxVersion: VersionTLS12,
5870 Bugs: ProtocolBugs{
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5871 ExpectNewTicket: true,
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5872 FilterTicket: func(in []byte) ([]byte, error) {
5873 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384)
5874 },
5875 },
5876 },
5877 flags: []string{
5878 "-cipher", "AES128",
5879 "-ticket-key",
5880 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5881 },
5882 expectResumeRejected: true,
5883 })
5884
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5885 // Sessions are not resumed if they do not use the preferred cipher.
5886 testCases = append(testCases, testCase{
5887 testType: serverTest,
5888 name: "Resume-Server-CipherNotPreferred",
5889 resumeSession: true,
5890 config: Config{
5891 MaxVersion: VersionTLS12,
5892 Bugs: ProtocolBugs{
5893 ExpectNewTicket: true,
5894 FilterTicket: func(in []byte) ([]byte, error) {
5895 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA)
5896 },
5897 },
5898 },
5899 flags: []string{
5900 "-ticket-key",
5901 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5902 },
5903 shouldFail: false,
5904 expectResumeRejected: true,
5905 })
5906
5907 // TLS 1.3 allows sessions to be resumed at a different cipher if their
5908 // PRF hashes match, but BoringSSL will always decline such resumptions.
5909 testCases = append(testCases, testCase{
5910 testType: serverTest,
5911 name: "Resume-Server-CipherNotPreferred-TLS13",
5912 resumeSession: true,
5913 config: Config{
5914 MaxVersion: VersionTLS13,
5915 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256, TLS_AES_128_GCM_SHA256},
5916 Bugs: ProtocolBugs{
5917 FilterTicket: func(in []byte) ([]byte, error) {
5918 // If the client (runner) offers ChaCha20-Poly1305 first, the
5919 // server (shim) always prefers it. Switch it to AES-GCM.
5920 return SetShimTicketCipherSuite(in, TLS_AES_128_GCM_SHA256)
5921 },
5922 },
5923 },
5924 flags: []string{
5925 "-ticket-key",
5926 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5927 },
5928 shouldFail: false,
5929 expectResumeRejected: true,
5930 })
5931
5932 // Sessions may not be resumed if they contain another version's cipher.
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5933 testCases = append(testCases, testCase{
5934 testType: serverTest,
5935 name: "Resume-Server-DeclineBadCipher-TLS13",
5936 resumeSession: true,
5937 config: Config{
5938 MaxVersion: VersionTLS13,
5939 Bugs: ProtocolBugs{
5940 FilterTicket: func(in []byte) ([]byte, error) {
5941 return SetShimTicketCipherSuite(in, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256)
5942 },
5943 },
5944 },
5945 flags: []string{
5946 "-ticket-key",
5947 base64.StdEncoding.EncodeToString(TestShimTicketKey),
5948 },
5949 expectResumeRejected: true,
5950 })
5951
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5952 // If the client does not offer the cipher from the session, decline to
5953 // resume. Clients are forbidden from doing this, but BoringSSL selects
5954 // the cipher first, so we only decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5955 testCases = append(testCases, testCase{
5956 testType: serverTest,
5957 name: "Resume-Server-UnofferedCipher",
5958 resumeSession: true,
5959 config: Config{
5960 MaxVersion: VersionTLS12,
5961 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5962 },
5963 resumeConfig: &Config{
5964 MaxVersion: VersionTLS12,
5965 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
5966 Bugs: ProtocolBugs{
5967 SendCipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
5968 },
5969 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5970 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5971 })
5972
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5973 // In TLS 1.3, clients may advertise a cipher list which does not
5974 // include the selected cipher. Test that we tolerate this. Servers may
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]5975 // resume at another cipher if the PRF matches and are not doing 0-RTT, but
5976 // BoringSSL will always decline.
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5977 testCases = append(testCases, testCase{
5978 testType: serverTest,
5979 name: "Resume-Server-UnofferedCipher-TLS13",
5980 resumeSession: true,
5981 config: Config{
5982 MaxVersion: VersionTLS13,
5983 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5984 },
5985 resumeConfig: &Config{
5986 MaxVersion: VersionTLS13,
5987 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
5988 Bugs: ProtocolBugs{
5989 SendCipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
5990 },
5991 },
David Benjaminf01f42a2016-11-16 19:05:33 +0900[diff] [blame]5992 expectResumeRejected: true,
David Benjamin75f99142016-11-12 12:36:06 +0900[diff] [blame]5993 })
5994
David Benjamin4199b0d2016-11-01 13:58:25 -0400[diff] [blame]5995 // Sessions may not be resumed at a different cipher.
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]5996 testCases = append(testCases, testCase{
5997 name: "Resume-Client-CipherMismatch",
5998 resumeSession: true,
5999 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6000 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6001 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6002 },
6003 resumeConfig: &Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6004 MaxVersion: VersionTLS12,
David Benjaminece3de92015-03-16 18:02:20 -0400[diff] [blame]6005 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
6006 Bugs: ProtocolBugs{
6007 SendCipherSuite: TLS_RSA_WITH_AES_128_CBC_SHA,
6008 },
6009 },
6010 shouldFail: true,
6011 expectedError: ":OLD_SESSION_CIPHER_NOT_RETURNED:",
6012 })
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6013
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6014 // Session resumption in TLS 1.3 may change the cipher suite if the PRF
6015 // matches.
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6016 testCases = append(testCases, testCase{
6017 name: "Resume-Client-CipherMismatch-TLS13",
6018 resumeSession: true,
6019 config: Config{
6020 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6021 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6022 },
6023 resumeConfig: &Config{
6024 MaxVersion: VersionTLS13,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6025 CipherSuites: []uint16{TLS_CHACHA20_POLY1305_SHA256},
6026 },
6027 })
6028
6029 // Session resumption in TLS 1.3 is forbidden if the PRF does not match.
6030 testCases = append(testCases, testCase{
6031 name: "Resume-Client-PRFMismatch-TLS13",
6032 resumeSession: true,
6033 config: Config{
6034 MaxVersion: VersionTLS13,
6035 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
6036 },
6037 resumeConfig: &Config{
6038 MaxVersion: VersionTLS13,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6039 CipherSuites: []uint16{TLS_AES_128_GCM_SHA256},
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6040 Bugs: ProtocolBugs{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6041 SendCipherSuite: TLS_AES_256_GCM_SHA384,
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6042 },
6043 },
6044 shouldFail: true,
David Benjamine1cc35e2016-11-16 16:25:58 +0900[diff] [blame]6045 expectedError: ":OLD_SESSION_PRF_HASH_MISMATCH:",
Steven Valdez4aa154e2016-07-29 14:32:55 -0400[diff] [blame]6046 })
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6047
6048 testCases = append(testCases, testCase{
6049 testType: serverTest,
6050 name: "Resume-Server-BinderWrongLength",
6051 resumeSession: true,
6052 config: Config{
6053 MaxVersion: VersionTLS13,
6054 Bugs: ProtocolBugs{
6055 SendShortPSKBinder: true,
6056 },
6057 },
6058 shouldFail: true,
6059 expectedLocalError: "remote error: error decrypting message",
6060 expectedError: ":DIGEST_CHECK_FAILED:",
6061 })
6062
6063 testCases = append(testCases, testCase{
6064 testType: serverTest,
6065 name: "Resume-Server-NoPSKBinder",
6066 resumeSession: true,
6067 config: Config{
6068 MaxVersion: VersionTLS13,
6069 Bugs: ProtocolBugs{
6070 SendNoPSKBinder: true,
6071 },
6072 },
6073 shouldFail: true,
6074 expectedLocalError: "remote error: error decoding message",
6075 expectedError: ":DECODE_ERROR:",
6076 })
6077
6078 testCases = append(testCases, testCase{
6079 testType: serverTest,
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]6080 name: "Resume-Server-ExtraPSKBinder",
6081 resumeSession: true,
6082 config: Config{
6083 MaxVersion: VersionTLS13,
6084 Bugs: ProtocolBugs{
6085 SendExtraPSKBinder: true,
6086 },
6087 },
6088 shouldFail: true,
6089 expectedLocalError: "remote error: illegal parameter",
6090 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6091 })
6092
6093 testCases = append(testCases, testCase{
6094 testType: serverTest,
6095 name: "Resume-Server-ExtraIdentityNoBinder",
6096 resumeSession: true,
6097 config: Config{
6098 MaxVersion: VersionTLS13,
6099 Bugs: ProtocolBugs{
6100 ExtraPSKIdentity: true,
6101 },
6102 },
6103 shouldFail: true,
6104 expectedLocalError: "remote error: illegal parameter",
6105 expectedError: ":PSK_IDENTITY_BINDER_COUNT_MISMATCH:",
6106 })
6107
6108 testCases = append(testCases, testCase{
6109 testType: serverTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]6110 name: "Resume-Server-InvalidPSKBinder",
6111 resumeSession: true,
6112 config: Config{
6113 MaxVersion: VersionTLS13,
6114 Bugs: ProtocolBugs{
6115 SendInvalidPSKBinder: true,
6116 },
6117 },
6118 shouldFail: true,
6119 expectedLocalError: "remote error: error decrypting message",
6120 expectedError: ":DIGEST_CHECK_FAILED:",
6121 })
6122
6123 testCases = append(testCases, testCase{
6124 testType: serverTest,
6125 name: "Resume-Server-PSKBinderFirstExtension",
6126 resumeSession: true,
6127 config: Config{
6128 MaxVersion: VersionTLS13,
6129 Bugs: ProtocolBugs{
6130 PSKBinderFirst: true,
6131 },
6132 },
6133 shouldFail: true,
6134 expectedLocalError: "remote error: illegal parameter",
6135 expectedError: ":PRE_SHARED_KEY_MUST_BE_LAST:",
6136 })
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]6137}
6138
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6139func addRenegotiationTests() {
David Benjamin44d3eed2015-05-21 01:29:55 -0400[diff] [blame]6140 // Servers cannot renegotiate.
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6141 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6142 testType: serverTest,
6143 name: "Renegotiate-Server-Forbidden",
6144 config: Config{
6145 MaxVersion: VersionTLS12,
6146 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6147 renegotiate: 1,
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6148 shouldFail: true,
6149 expectedError: ":NO_RENEGOTIATION:",
6150 expectedLocalError: "remote error: no renegotiation",
6151 })
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6152 // The server shouldn't echo the renegotiation extension unless
6153 // requested by the client.
6154 testCases = append(testCases, testCase{
6155 testType: serverTest,
6156 name: "Renegotiate-Server-NoExt",
6157 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6158 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6159 Bugs: ProtocolBugs{
6160 NoRenegotiationInfo: true,
6161 RequireRenegotiationInfo: true,
6162 },
6163 },
6164 shouldFail: true,
6165 expectedLocalError: "renegotiation extension missing",
6166 })
6167 // The renegotiation SCSV should be sufficient for the server to echo
6168 // the extension.
6169 testCases = append(testCases, testCase{
6170 testType: serverTest,
6171 name: "Renegotiate-Server-NoExt-SCSV",
6172 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6173 MaxVersion: VersionTLS12,
Adam Langley5021b222015-06-12 18:27:58 -0700[diff] [blame]6174 Bugs: ProtocolBugs{
6175 NoRenegotiationInfo: true,
6176 SendRenegotiationSCSV: true,
6177 RequireRenegotiationInfo: true,
6178 },
6179 },
6180 })
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6181 testCases = append(testCases, testCase{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6182 name: "Renegotiate-Client",
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6183 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6184 MaxVersion: VersionTLS12,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6185 Bugs: ProtocolBugs{
David Benjamin4b27d9f2015-05-12 22:42:52 -0400[diff] [blame]6186 FailIfResumeOnRenego: true,
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6187 },
6188 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6189 renegotiate: 1,
6190 flags: []string{
6191 "-renegotiate-freely",
6192 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6193 "-expect-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6194 },
David Benjamincdea40c2015-03-19 14:09:43 -0400[diff] [blame]6195 })
6196 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6197 name: "Renegotiate-Client-EmptyExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6198 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6199 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6200 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6201 Bugs: ProtocolBugs{
6202 EmptyRenegotiationInfo: true,
6203 },
6204 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6205 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6206 shouldFail: true,
6207 expectedError: ":RENEGOTIATION_MISMATCH:",
6208 })
6209 testCases = append(testCases, testCase{
6210 name: "Renegotiate-Client-BadExt",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6211 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6212 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6213 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6214 Bugs: ProtocolBugs{
6215 BadRenegotiationInfo: true,
6216 },
6217 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6218 flags: []string{"-renegotiate-freely"},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6219 shouldFail: true,
6220 expectedError: ":RENEGOTIATION_MISMATCH:",
6221 })
6222 testCases = append(testCases, testCase{
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6223 name: "Renegotiate-Client-Downgrade",
6224 renegotiate: 1,
6225 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6226 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6227 Bugs: ProtocolBugs{
6228 NoRenegotiationInfoAfterInitial: true,
6229 },
6230 },
6231 flags: []string{"-renegotiate-freely"},
6232 shouldFail: true,
6233 expectedError: ":RENEGOTIATION_MISMATCH:",
6234 })
6235 testCases = append(testCases, testCase{
6236 name: "Renegotiate-Client-Upgrade",
6237 renegotiate: 1,
6238 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6239 MaxVersion: VersionTLS12,
David Benjamin3e052de2015-11-25 20:10:31 -0500[diff] [blame]6240 Bugs: ProtocolBugs{
6241 NoRenegotiationInfoInInitial: true,
6242 },
6243 },
6244 flags: []string{"-renegotiate-freely"},
6245 shouldFail: true,
6246 expectedError: ":RENEGOTIATION_MISMATCH:",
6247 })
6248 testCases = append(testCases, testCase{
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6249 name: "Renegotiate-Client-NoExt-Allowed",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6250 renegotiate: 1,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6251 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6252 MaxVersion: VersionTLS12,
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6253 Bugs: ProtocolBugs{
6254 NoRenegotiationInfo: true,
6255 },
6256 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6257 flags: []string{
6258 "-renegotiate-freely",
6259 "-expect-total-renegotiations", "1",
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6260 "-expect-no-secure-renegotiation",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6261 },
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6262 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6263
6264 // Test that the server may switch ciphers on renegotiation without
6265 // problems.
David Benjamincff0b902015-05-15 23:09:47 -0400[diff] [blame]6266 testCases = append(testCases, testCase{
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6267 name: "Renegotiate-Client-SwitchCiphers",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6268 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6269 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6270 MaxVersion: VersionTLS12,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6271 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6272 },
6273 renegotiateCiphers: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6274 flags: []string{
6275 "-renegotiate-freely",
6276 "-expect-total-renegotiations", "1",
6277 },
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6278 })
6279 testCases = append(testCases, testCase{
6280 name: "Renegotiate-Client-SwitchCiphers2",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6281 renegotiate: 1,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6282 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6283 MaxVersion: VersionTLS12,
Adam Langleycf2d4f42014-10-28 19:06:14 -0700[diff] [blame]6284 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6285 },
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]6286 renegotiateCiphers: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6287 flags: []string{
6288 "-renegotiate-freely",
6289 "-expect-total-renegotiations", "1",
6290 },
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6291 })
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6292
6293 // Test that the server may not switch versions on renegotiation.
6294 testCases = append(testCases, testCase{
6295 name: "Renegotiate-Client-SwitchVersion",
6296 config: Config{
6297 MaxVersion: VersionTLS12,
6298 // Pick a cipher which exists at both versions.
6299 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_CBC_SHA},
6300 Bugs: ProtocolBugs{
6301 NegotiateVersionOnRenego: VersionTLS11,
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]6302 // Avoid failing early at the record layer.
6303 SendRecordVersion: VersionTLS12,
David Benjamine7e36aa2016-08-08 12:39:41 -0400[diff] [blame]6304 },
6305 },
6306 renegotiate: 1,
6307 flags: []string{
6308 "-renegotiate-freely",
6309 "-expect-total-renegotiations", "1",
6310 },
6311 shouldFail: true,
6312 expectedError: ":WRONG_SSL_VERSION:",
6313 })
6314
David Benjaminb16346b2015-04-08 19:16:58 -0400[diff] [blame]6315 testCases = append(testCases, testCase{
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6316 name: "Renegotiate-SameClientVersion",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6317 renegotiate: 1,
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6318 config: Config{
6319 MaxVersion: VersionTLS10,
6320 Bugs: ProtocolBugs{
6321 RequireSameRenegoClientVersion: true,
6322 },
6323 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6324 flags: []string{
6325 "-renegotiate-freely",
6326 "-expect-total-renegotiations", "1",
6327 },
David Benjaminc44b1df2014-11-23 12:11:01 -0500[diff] [blame]6328 })
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6329 testCases = append(testCases, testCase{
6330 name: "Renegotiate-FalseStart",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6331 renegotiate: 1,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6332 config: Config{
Nick Harper1fd39d82016-06-14 18:14:35 -0700[diff] [blame]6333 MaxVersion: VersionTLS12,
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6334 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
6335 NextProtos: []string{"foo"},
6336 },
6337 flags: []string{
6338 "-false-start",
6339 "-select-next-proto", "foo",
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6340 "-renegotiate-freely",
David Benjamin324dce42015-10-12 19:49:00 -0400[diff] [blame]6341 "-expect-total-renegotiations", "1",
Adam Langleyb558c4c2015-07-08 12:16:38 -0700[diff] [blame]6342 },
6343 shimWritesFirst: true,
6344 })
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6345
6346 // Client-side renegotiation controls.
6347 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6348 name: "Renegotiate-Client-Forbidden-1",
6349 config: Config{
6350 MaxVersion: VersionTLS12,
6351 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6352 renegotiate: 1,
6353 shouldFail: true,
6354 expectedError: ":NO_RENEGOTIATION:",
6355 expectedLocalError: "remote error: no renegotiation",
6356 })
6357 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6358 name: "Renegotiate-Client-Once-1",
6359 config: Config{
6360 MaxVersion: VersionTLS12,
6361 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6362 renegotiate: 1,
6363 flags: []string{
6364 "-renegotiate-once",
6365 "-expect-total-renegotiations", "1",
6366 },
6367 })
6368 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6369 name: "Renegotiate-Client-Freely-1",
6370 config: Config{
6371 MaxVersion: VersionTLS12,
6372 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6373 renegotiate: 1,
6374 flags: []string{
6375 "-renegotiate-freely",
6376 "-expect-total-renegotiations", "1",
6377 },
6378 })
6379 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6380 name: "Renegotiate-Client-Once-2",
6381 config: Config{
6382 MaxVersion: VersionTLS12,
6383 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6384 renegotiate: 2,
6385 flags: []string{"-renegotiate-once"},
6386 shouldFail: true,
6387 expectedError: ":NO_RENEGOTIATION:",
6388 expectedLocalError: "remote error: no renegotiation",
6389 })
6390 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6391 name: "Renegotiate-Client-Freely-2",
6392 config: Config{
6393 MaxVersion: VersionTLS12,
6394 },
David Benjamin1d5ef3b2015-10-12 19:54:18 -0400[diff] [blame]6395 renegotiate: 2,
6396 flags: []string{
6397 "-renegotiate-freely",
6398 "-expect-total-renegotiations", "2",
6399 },
6400 })
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6401 testCases = append(testCases, testCase{
6402 name: "Renegotiate-Client-NoIgnore",
6403 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6404 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6405 Bugs: ProtocolBugs{
6406 SendHelloRequestBeforeEveryAppDataRecord: true,
6407 },
6408 },
6409 shouldFail: true,
6410 expectedError: ":NO_RENEGOTIATION:",
6411 })
6412 testCases = append(testCases, testCase{
6413 name: "Renegotiate-Client-Ignore",
6414 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6415 MaxVersion: VersionTLS12,
Adam Langley27a0d082015-11-03 13:34:10 -0800[diff] [blame]6416 Bugs: ProtocolBugs{
6417 SendHelloRequestBeforeEveryAppDataRecord: true,
6418 },
6419 },
6420 flags: []string{
6421 "-renegotiate-ignore",
6422 "-expect-total-renegotiations", "0",
6423 },
6424 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6425
David Benjamin34941c02016-10-08 11:45:31 -0400[diff] [blame]6426 // Renegotiation is not allowed at SSL 3.0.
6427 testCases = append(testCases, testCase{
6428 name: "Renegotiate-Client-SSL3",
6429 config: Config{
6430 MaxVersion: VersionSSL30,
6431 },
6432 renegotiate: 1,
6433 flags: []string{
6434 "-renegotiate-freely",
6435 "-expect-total-renegotiations", "1",
6436 },
6437 shouldFail: true,
6438 expectedError: ":NO_RENEGOTIATION:",
6439 expectedLocalError: "remote error: no renegotiation",
6440 })
6441
David Benjamina1eaba12017-01-01 23:19:22 -0500[diff] [blame]6442 // Renegotiation is not allowed when there is an unfinished write.
6443 testCases = append(testCases, testCase{
6444 name: "Renegotiate-Client-UnfinishedWrite",
6445 config: Config{
6446 MaxVersion: VersionTLS12,
6447 },
6448 renegotiate: 1,
6449 flags: []string{
6450 "-async",
6451 "-renegotiate-freely",
6452 "-read-with-unfinished-write",
6453 },
6454 shouldFail: true,
6455 expectedError: ":NO_RENEGOTIATION:",
6456 // We do not successfully send the no_renegotiation alert in
6457 // this case. https://crbug.com/boringssl/130
6458 })
6459
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6460 // We reject stray HelloRequests during the handshake in TLS 1.2.
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6461 testCases = append(testCases, testCase{
6462 name: "StrayHelloRequest",
6463 config: Config{
6464 MaxVersion: VersionTLS12,
6465 Bugs: ProtocolBugs{
6466 SendHelloRequestBeforeEveryHandshakeMessage: true,
6467 },
6468 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6469 shouldFail: true,
6470 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6471 })
6472 testCases = append(testCases, testCase{
6473 name: "StrayHelloRequest-Packed",
6474 config: Config{
6475 MaxVersion: VersionTLS12,
6476 Bugs: ProtocolBugs{
6477 PackHandshakeFlight: true,
6478 SendHelloRequestBeforeEveryHandshakeMessage: true,
6479 },
6480 },
David Benjamin07ab5d42017-02-09 20:11:41 -0500[diff] [blame]6481 shouldFail: true,
6482 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin71dd6662016-07-08 14:10:48 -0700[diff] [blame]6483 })
6484
David Benjamin12d2c482016-07-24 10:56:51 -0400[diff] [blame]6485 // Test renegotiation works if HelloRequest and server Finished come in
6486 // the same record.
6487 testCases = append(testCases, testCase{
6488 name: "Renegotiate-Client-Packed",
6489 config: Config{
6490 MaxVersion: VersionTLS12,
6491 Bugs: ProtocolBugs{
6492 PackHandshakeFlight: true,
6493 PackHelloRequestWithFinished: true,
6494 },
6495 },
6496 renegotiate: 1,
6497 flags: []string{
6498 "-renegotiate-freely",
6499 "-expect-total-renegotiations", "1",
6500 },
6501 })
6502
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6503 // Renegotiation is forbidden in TLS 1.3.
6504 testCases = append(testCases, testCase{
6505 name: "Renegotiate-Client-TLS13",
6506 config: Config{
6507 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6508 Bugs: ProtocolBugs{
6509 SendHelloRequestBeforeEveryAppDataRecord: true,
6510 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6511 },
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6512 flags: []string{
6513 "-renegotiate-freely",
6514 },
Steven Valdez8e1c7be2016-07-26 12:39:22 -0400[diff] [blame]6515 shouldFail: true,
6516 expectedError: ":UNEXPECTED_MESSAGE:",
David Benjamin397c8e62016-07-08 14:14:36 -0700[diff] [blame]6517 })
6518
6519 // Stray HelloRequests during the handshake are forbidden in TLS 1.3.
6520 testCases = append(testCases, testCase{
6521 name: "StrayHelloRequest-TLS13",
6522 config: Config{
6523 MaxVersion: VersionTLS13,
6524 Bugs: ProtocolBugs{
6525 SendHelloRequestBeforeEveryHandshakeMessage: true,
6526 },
6527 },
6528 shouldFail: true,
6529 expectedError: ":UNEXPECTED_MESSAGE:",
6530 })
David Benjamind2610042017-01-03 10:49:28 -0500[diff] [blame]6531
6532 // The renegotiation_info extension is not sent in TLS 1.3, but TLS 1.3
6533 // always reads as supporting it, regardless of whether it was
6534 // negotiated.
6535 testCases = append(testCases, testCase{
6536 name: "AlwaysReportRenegotiationInfo-TLS13",
6537 config: Config{
6538 MaxVersion: VersionTLS13,
6539 Bugs: ProtocolBugs{
6540 NoRenegotiationInfo: true,
6541 },
6542 },
6543 flags: []string{
6544 "-expect-secure-renegotiation",
6545 },
6546 })
David Benjamina58baaf2017-02-28 20:54:28 -0500[diff] [blame]6547
6548 // Certificates may not change on renegotiation.
6549 testCases = append(testCases, testCase{
6550 name: "Renegotiation-CertificateChange",
6551 config: Config{
6552 MaxVersion: VersionTLS12,
6553 Certificates: []Certificate{rsaCertificate},
6554 Bugs: ProtocolBugs{
6555 RenegotiationCertificate: &rsaChainCertificate,
6556 },
6557 },
6558 renegotiate: 1,
6559 flags: []string{"-renegotiate-freely"},
6560 shouldFail: true,
6561 expectedError: ":SERVER_CERT_CHANGED:",
6562 })
6563 testCases = append(testCases, testCase{
6564 name: "Renegotiation-CertificateChange-2",
6565 config: Config{
6566 MaxVersion: VersionTLS12,
6567 Certificates: []Certificate{rsaCertificate},
6568 Bugs: ProtocolBugs{
6569 RenegotiationCertificate: &rsa1024Certificate,
6570 },
6571 },
6572 renegotiate: 1,
6573 flags: []string{"-renegotiate-freely"},
6574 shouldFail: true,
6575 expectedError: ":SERVER_CERT_CHANGED:",
6576 })
David Benjaminbbf42462017-03-14 21:27:10 -0400[diff] [blame]6577
6578 // We do not negotiate ALPN after the initial handshake. This is
6579 // error-prone and only risks bugs in consumers.
6580 testCases = append(testCases, testCase{
6581 testType: clientTest,
6582 name: "Renegotiation-ForbidALPN",
6583 config: Config{
6584 MaxVersion: VersionTLS12,
6585 Bugs: ProtocolBugs{
6586 // Forcibly negotiate ALPN on both initial and
6587 // renegotiation handshakes. The test stack will
6588 // internally check the client does not offer
6589 // it.
6590 SendALPN: "foo",
6591 },
6592 },
6593 flags: []string{
6594 "-advertise-alpn", "\x03foo\x03bar\x03baz",
6595 "-expect-alpn", "foo",
6596 "-renegotiate-freely",
6597 },
6598 renegotiate: 1,
6599 shouldFail: true,
6600 expectedError: ":UNEXPECTED_EXTENSION:",
6601 })
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]6602}
6603
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6604func addDTLSReplayTests() {
6605 // Test that sequence number replays are detected.
6606 testCases = append(testCases, testCase{
6607 protocol: dtls,
6608 name: "DTLS-Replay",
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6609 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6610 replayWrites: true,
6611 })
6612
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6613 // Test the incoming sequence number skipping by values larger
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6614 // than the retransmit window.
6615 testCases = append(testCases, testCase{
6616 protocol: dtls,
6617 name: "DTLS-Replay-LargeGaps",
6618 config: Config{
6619 Bugs: ProtocolBugs{
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6620 SequenceNumberMapping: func(in uint64) uint64 {
6621 return in * 127
6622 },
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6623 },
6624 },
David Benjamin8e6db492015-07-25 18:29:23 -0400[diff] [blame]6625 messageCount: 200,
6626 replayWrites: true,
6627 })
6628
6629 // Test the incoming sequence number changing non-monotonically.
6630 testCases = append(testCases, testCase{
6631 protocol: dtls,
6632 name: "DTLS-Replay-NonMonotonic",
6633 config: Config{
6634 Bugs: ProtocolBugs{
6635 SequenceNumberMapping: func(in uint64) uint64 {
6636 return in ^ 31
6637 },
6638 },
6639 },
6640 messageCount: 200,
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]6641 replayWrites: true,
6642 })
6643}
6644
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6645var testSignatureAlgorithms = []struct {
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6646 name string
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6647 id signatureAlgorithm
6648 cert testCert
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6649}{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6650 {"RSA-PKCS1-SHA1", signatureRSAPKCS1WithSHA1, testCertRSA},
6651 {"RSA-PKCS1-SHA256", signatureRSAPKCS1WithSHA256, testCertRSA},
6652 {"RSA-PKCS1-SHA384", signatureRSAPKCS1WithSHA384, testCertRSA},
6653 {"RSA-PKCS1-SHA512", signatureRSAPKCS1WithSHA512, testCertRSA},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6654 {"ECDSA-SHA1", signatureECDSAWithSHA1, testCertECDSAP256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]6655 {"ECDSA-P256-SHA256", signatureECDSAWithP256AndSHA256, testCertECDSAP256},
6656 {"ECDSA-P384-SHA384", signatureECDSAWithP384AndSHA384, testCertECDSAP384},
6657 {"ECDSA-P521-SHA512", signatureECDSAWithP521AndSHA512, testCertECDSAP521},
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6658 {"RSA-PSS-SHA256", signatureRSAPSSWithSHA256, testCertRSA},
6659 {"RSA-PSS-SHA384", signatureRSAPSSWithSHA384, testCertRSA},
6660 {"RSA-PSS-SHA512", signatureRSAPSSWithSHA512, testCertRSA},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6661 // Tests for key types prior to TLS 1.2.
6662 {"RSA", 0, testCertRSA},
6663 {"ECDSA", 0, testCertECDSAP256},
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6664}
6665
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6666const fakeSigAlg1 signatureAlgorithm = 0x2a01
6667const fakeSigAlg2 signatureAlgorithm = 0xff01
6668
6669func addSignatureAlgorithmTests() {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6670 // Not all ciphers involve a signature. Advertise a list which gives all
6671 // versions a signing cipher.
6672 signingCiphers := []uint16{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6673 TLS_AES_128_GCM_SHA256,
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6674 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,
6675 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
6676 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,
6677 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6678 }
6679 if *includeDHE {
6680 signingCiphers = append(signingCiphers, TLS_DHE_RSA_WITH_AES_128_CBC_SHA)
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6681 }
6682
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6683 var allAlgorithms []signatureAlgorithm
6684 for _, alg := range testSignatureAlgorithms {
6685 if alg.id != 0 {
6686 allAlgorithms = append(allAlgorithms, alg.id)
6687 }
6688 }
6689
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6690 // Make sure each signature algorithm works. Include some fake values in
6691 // the list and ensure they're ignored.
6692 for _, alg := range testSignatureAlgorithms {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6693 for _, ver := range tlsVersions {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6694 if (ver.version < VersionTLS12) != (alg.id == 0) {
6695 continue
6696 }
6697
6698 // TODO(davidben): Support ECDSA in SSL 3.0 in Go for testing
6699 // or remove it in C.
6700 if ver.version == VersionSSL30 && alg.cert != testCertRSA {
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6701 continue
6702 }
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6703
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6704 var shouldSignFail, shouldVerifyFail bool
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6705 // ecdsa_sha1 does not exist in TLS 1.3.
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6706 if ver.version >= VersionTLS13 && alg.id == signatureECDSAWithSHA1 {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6707 shouldSignFail = true
6708 shouldVerifyFail = true
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6709 }
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6710 // RSA-PKCS1 does not exist in TLS 1.3.
6711 if ver.version == VersionTLS13 && hasComponent(alg.name, "PKCS1") {
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6712 shouldSignFail = true
6713 shouldVerifyFail = true
6714 }
6715
6716 // BoringSSL will sign SHA-1 and SHA-512 with ECDSA but not accept them.
6717 if alg.id == signatureECDSAWithSHA1 || alg.id == signatureECDSAWithP521AndSHA512 {
6718 shouldVerifyFail = true
Steven Valdez54ed58e2016-08-18 14:03:49 -0400[diff] [blame]6719 }
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6720
6721 var signError, verifyError string
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6722 if shouldSignFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6723 signError = ":NO_COMMON_SIGNATURE_ALGORITHMS:"
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6724 }
6725 if shouldVerifyFail {
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6726 verifyError = ":WRONG_SIGNATURE_TYPE:"
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6727 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6728
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6729 suffix := "-" + alg.name + "-" + ver.name
David Benjamin6e807652015-11-02 12:02:20 -0500[diff] [blame]6730
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6731 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6732 name: "ClientAuth-Sign" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6733 config: Config{
6734 MaxVersion: ver.version,
6735 ClientAuth: RequireAnyClientCert,
6736 VerifySignatureAlgorithms: []signatureAlgorithm{
6737 fakeSigAlg1,
6738 alg.id,
6739 fakeSigAlg2,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6740 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6741 },
6742 flags: []string{
6743 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6744 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6745 "-enable-all-curves",
6746 },
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6747 shouldFail: shouldSignFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6748 expectedError: signError,
6749 expectedPeerSignatureAlgorithm: alg.id,
6750 })
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6751
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6752 testCases = append(testCases, testCase{
6753 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6754 name: "ClientAuth-Verify" + suffix,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6755 config: Config{
6756 MaxVersion: ver.version,
6757 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6758 SignSignatureAlgorithms: []signatureAlgorithm{
6759 alg.id,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6760 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6761 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6762 SkipECDSACurveCheck: shouldVerifyFail,
6763 IgnoreSignatureVersionChecks: shouldVerifyFail,
6764 // Some signature algorithms may not be advertised.
6765 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6766 },
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6767 },
6768 flags: []string{
6769 "-require-any-client-certificate",
6770 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6771 "-enable-all-curves",
6772 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6773 // Resume the session to assert the peer signature
6774 // algorithm is reported on both handshakes.
6775 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6776 shouldFail: shouldVerifyFail,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6777 expectedError: verifyError,
6778 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6779
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6780 // No signing cipher for SSL 3.0.
6781 if *includeDHE || ver.version > VersionSSL30 {
6782 testCases = append(testCases, testCase{
6783 testType: serverTest,
6784 name: "ServerAuth-Sign" + suffix,
6785 config: Config{
6786 MaxVersion: ver.version,
6787 CipherSuites: signingCiphers,
6788 VerifySignatureAlgorithms: []signatureAlgorithm{
6789 fakeSigAlg1,
6790 alg.id,
6791 fakeSigAlg2,
6792 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6793 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]6794 flags: []string{
6795 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6796 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6797 "-enable-all-curves",
6798 },
6799 shouldFail: shouldSignFail,
6800 expectedError: signError,
6801 expectedPeerSignatureAlgorithm: alg.id,
6802 })
6803 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6804
6805 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6806 name: "ServerAuth-Verify" + suffix,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6807 config: Config{
6808 MaxVersion: ver.version,
6809 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6810 CipherSuites: signingCiphers,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6811 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6812 alg.id,
6813 },
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6814 Bugs: ProtocolBugs{
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6815 SkipECDSACurveCheck: shouldVerifyFail,
6816 IgnoreSignatureVersionChecks: shouldVerifyFail,
6817 // Some signature algorithms may not be advertised.
6818 IgnorePeerSignatureAlgorithmPreferences: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6819 },
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6820 },
6821 flags: []string{
6822 "-expect-peer-signature-algorithm", strconv.Itoa(int(alg.id)),
6823 "-enable-all-curves",
6824 },
David Benjaminf1050fd2016-12-13 20:05:36 -0500[diff] [blame]6825 // Resume the session to assert the peer signature
6826 // algorithm is reported on both handshakes.
6827 resumeSession: !shouldVerifyFail,
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6828 shouldFail: shouldVerifyFail,
Steven Valdezeff1e8d2016-07-06 14:24:47 -0400[diff] [blame]6829 expectedError: verifyError,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6830 })
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6831
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6832 if !shouldVerifyFail {
David Benjamin5208fd42016-07-13 21:43:25 -0400[diff] [blame]6833 testCases = append(testCases, testCase{
6834 testType: serverTest,
6835 name: "ClientAuth-InvalidSignature" + suffix,
6836 config: Config{
6837 MaxVersion: ver.version,
6838 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6839 SignSignatureAlgorithms: []signatureAlgorithm{
6840 alg.id,
6841 },
6842 Bugs: ProtocolBugs{
6843 InvalidSignature: true,
6844 },
6845 },
6846 flags: []string{
6847 "-require-any-client-certificate",
6848 "-enable-all-curves",
6849 },
6850 shouldFail: true,
6851 expectedError: ":BAD_SIGNATURE:",
6852 })
6853
6854 testCases = append(testCases, testCase{
6855 name: "ServerAuth-InvalidSignature" + suffix,
6856 config: Config{
6857 MaxVersion: ver.version,
6858 Certificates: []Certificate{getRunnerCertificate(alg.cert)},
6859 CipherSuites: signingCiphers,
6860 SignSignatureAlgorithms: []signatureAlgorithm{
6861 alg.id,
6862 },
6863 Bugs: ProtocolBugs{
6864 InvalidSignature: true,
6865 },
6866 },
6867 flags: []string{"-enable-all-curves"},
6868 shouldFail: true,
6869 expectedError: ":BAD_SIGNATURE:",
6870 })
6871 }
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6872
David Benjamin3ef76972016-10-17 17:59:54 -0400[diff] [blame]6873 if ver.version >= VersionTLS12 && !shouldSignFail {
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]6874 testCases = append(testCases, testCase{
6875 name: "ClientAuth-Sign-Negotiate" + suffix,
6876 config: Config{
6877 MaxVersion: ver.version,
6878 ClientAuth: RequireAnyClientCert,
6879 VerifySignatureAlgorithms: allAlgorithms,
6880 },
6881 flags: []string{
6882 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6883 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6884 "-enable-all-curves",
6885 "-signing-prefs", strconv.Itoa(int(alg.id)),
6886 },
6887 expectedPeerSignatureAlgorithm: alg.id,
6888 })
6889
6890 testCases = append(testCases, testCase{
6891 testType: serverTest,
6892 name: "ServerAuth-Sign-Negotiate" + suffix,
6893 config: Config{
6894 MaxVersion: ver.version,
6895 CipherSuites: signingCiphers,
6896 VerifySignatureAlgorithms: allAlgorithms,
6897 },
6898 flags: []string{
6899 "-cert-file", path.Join(*resourceDir, getShimCertificate(alg.cert)),
6900 "-key-file", path.Join(*resourceDir, getShimKey(alg.cert)),
6901 "-enable-all-curves",
6902 "-signing-prefs", strconv.Itoa(int(alg.id)),
6903 },
6904 expectedPeerSignatureAlgorithm: alg.id,
6905 })
6906 }
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]6907 }
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6908 }
6909
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6910 // Test that algorithm selection takes the key type into account.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6911 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6912 name: "ClientAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6913 config: Config{
6914 ClientAuth: RequireAnyClientCert,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6915 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6916 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6917 signatureECDSAWithP521AndSHA512,
6918 signatureRSAPKCS1WithSHA384,
6919 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6920 },
6921 },
6922 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]6923 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6924 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6925 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6926 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6927 })
6928
6929 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6930 name: "ClientAuth-SignatureType-TLS13",
6931 config: Config{
6932 ClientAuth: RequireAnyClientCert,
6933 MaxVersion: VersionTLS13,
6934 VerifySignatureAlgorithms: []signatureAlgorithm{
6935 signatureECDSAWithP521AndSHA512,
6936 signatureRSAPKCS1WithSHA384,
6937 signatureRSAPSSWithSHA384,
6938 signatureECDSAWithSHA1,
6939 },
6940 },
6941 flags: []string{
6942 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
6943 "-key-file", path.Join(*resourceDir, rsaKeyFile),
6944 },
6945 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6946 })
6947
6948 testCases = append(testCases, testCase{
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6949 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]6950 name: "ServerAuth-SignatureType",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6951 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]6952 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6953 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6954 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6955 signatureECDSAWithP521AndSHA512,
6956 signatureRSAPKCS1WithSHA384,
6957 signatureECDSAWithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6958 },
6959 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]6960 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA384,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]6961 })
6962
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6963 testCases = append(testCases, testCase{
6964 testType: serverTest,
6965 name: "ServerAuth-SignatureType-TLS13",
6966 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]6967 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]6968 VerifySignatureAlgorithms: []signatureAlgorithm{
6969 signatureECDSAWithP521AndSHA512,
6970 signatureRSAPKCS1WithSHA384,
6971 signatureRSAPSSWithSHA384,
6972 signatureECDSAWithSHA1,
6973 },
6974 },
6975 expectedPeerSignatureAlgorithm: signatureRSAPSSWithSHA384,
6976 })
6977
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6978 // Test that signature verification takes the key type into account.
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6979 testCases = append(testCases, testCase{
6980 testType: serverTest,
6981 name: "Verify-ClientAuth-SignatureType",
6982 config: Config{
6983 MaxVersion: VersionTLS12,
6984 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]6985 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]6986 signatureRSAPKCS1WithSHA256,
6987 },
6988 Bugs: ProtocolBugs{
6989 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
6990 },
6991 },
6992 flags: []string{
6993 "-require-any-client-certificate",
6994 },
6995 shouldFail: true,
6996 expectedError: ":WRONG_SIGNATURE_TYPE:",
6997 })
6998
6999 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7000 testType: serverTest,
7001 name: "Verify-ClientAuth-SignatureType-TLS13",
7002 config: Config{
7003 MaxVersion: VersionTLS13,
7004 Certificates: []Certificate{rsaCertificate},
7005 SignSignatureAlgorithms: []signatureAlgorithm{
7006 signatureRSAPSSWithSHA256,
7007 },
7008 Bugs: ProtocolBugs{
7009 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7010 },
7011 },
7012 flags: []string{
7013 "-require-any-client-certificate",
7014 },
7015 shouldFail: true,
7016 expectedError: ":WRONG_SIGNATURE_TYPE:",
7017 })
7018
7019 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7020 name: "Verify-ServerAuth-SignatureType",
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7021 config: Config{
7022 MaxVersion: VersionTLS12,
7023 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7024 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamina95e9f32016-07-08 16:28:04 -0700[diff] [blame]7025 signatureRSAPKCS1WithSHA256,
7026 },
7027 Bugs: ProtocolBugs{
7028 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7029 },
7030 },
7031 shouldFail: true,
7032 expectedError: ":WRONG_SIGNATURE_TYPE:",
7033 })
7034
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7035 testCases = append(testCases, testCase{
7036 name: "Verify-ServerAuth-SignatureType-TLS13",
7037 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7038 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7039 SignSignatureAlgorithms: []signatureAlgorithm{
7040 signatureRSAPSSWithSHA256,
7041 },
7042 Bugs: ProtocolBugs{
7043 SendSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7044 },
7045 },
7046 shouldFail: true,
7047 expectedError: ":WRONG_SIGNATURE_TYPE:",
7048 })
7049
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7050 // Test that, if the list is missing, the peer falls back to SHA-1 in
7051 // TLS 1.2, but not TLS 1.3.
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7052 testCases = append(testCases, testCase{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7053 name: "ClientAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7054 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7055 MaxVersion: VersionTLS12,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7056 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7057 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7058 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7059 },
7060 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7061 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7062 },
7063 },
7064 flags: []string{
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]7065 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7066 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7067 },
7068 })
7069
7070 testCases = append(testCases, testCase{
7071 testType: serverTest,
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7072 name: "ServerAuth-SHA1-Fallback-RSA",
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7073 config: Config{
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7074 MaxVersion: VersionTLS12,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7075 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7076 signatureRSAPKCS1WithSHA1,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7077 },
7078 Bugs: ProtocolBugs{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7079 NoSignatureAlgorithms: true,
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7080 },
7081 },
David Benjaminee32bea2016-08-17 13:36:44 -0400[diff] [blame]7082 flags: []string{
7083 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7084 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7085 },
7086 })
7087
7088 testCases = append(testCases, testCase{
7089 name: "ClientAuth-SHA1-Fallback-ECDSA",
7090 config: Config{
7091 MaxVersion: VersionTLS12,
7092 ClientAuth: RequireAnyClientCert,
7093 VerifySignatureAlgorithms: []signatureAlgorithm{
7094 signatureECDSAWithSHA1,
7095 },
7096 Bugs: ProtocolBugs{
7097 NoSignatureAlgorithms: true,
7098 },
7099 },
7100 flags: []string{
7101 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7102 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7103 },
7104 })
7105
7106 testCases = append(testCases, testCase{
7107 testType: serverTest,
7108 name: "ServerAuth-SHA1-Fallback-ECDSA",
7109 config: Config{
7110 MaxVersion: VersionTLS12,
7111 VerifySignatureAlgorithms: []signatureAlgorithm{
7112 signatureECDSAWithSHA1,
7113 },
7114 Bugs: ProtocolBugs{
7115 NoSignatureAlgorithms: true,
7116 },
7117 },
7118 flags: []string{
7119 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7120 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7121 },
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7122 })
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7123
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7124 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7125 name: "ClientAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7126 config: Config{
7127 MaxVersion: VersionTLS13,
7128 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7129 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7130 signatureRSAPKCS1WithSHA1,
7131 },
7132 Bugs: ProtocolBugs{
7133 NoSignatureAlgorithms: true,
7134 },
7135 },
7136 flags: []string{
7137 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7138 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7139 },
David Benjamin48901652016-08-01 12:12:47 -0400[diff] [blame]7140 shouldFail: true,
7141 // An empty CertificateRequest signature algorithm list is a
7142 // syntax error in TLS 1.3.
7143 expectedError: ":DECODE_ERROR:",
7144 expectedLocalError: "remote error: error decoding message",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7145 })
7146
7147 testCases = append(testCases, testCase{
7148 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7149 name: "ServerAuth-NoFallback-TLS13",
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7150 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7151 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7152 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin51dd7d62016-07-08 16:07:01 -0700[diff] [blame]7153 signatureRSAPKCS1WithSHA1,
7154 },
7155 Bugs: ProtocolBugs{
7156 NoSignatureAlgorithms: true,
7157 },
7158 },
7159 shouldFail: true,
7160 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7161 })
7162
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7163 // Test that hash preferences are enforced. BoringSSL does not implement
7164 // MD5 signatures.
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7165 testCases = append(testCases, testCase{
7166 testType: serverTest,
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7167 name: "ClientAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7168 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7169 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7170 Certificates: []Certificate{rsaCertificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7171 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7172 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7173 },
7174 Bugs: ProtocolBugs{
7175 IgnorePeerSignatureAlgorithmPreferences: true,
7176 },
7177 },
7178 flags: []string{"-require-any-client-certificate"},
7179 shouldFail: true,
7180 expectedError: ":WRONG_SIGNATURE_TYPE:",
7181 })
7182
7183 testCases = append(testCases, testCase{
David Benjaminbbfff7c2016-07-13 21:08:33 -0400[diff] [blame]7184 name: "ServerAuth-Enforced",
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7185 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7186 MaxVersion: VersionTLS12,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7187 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7188 SignSignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7189 signatureRSAPKCS1WithMD5,
David Benjamin72dc7832015-03-16 17:49:43 -0400[diff] [blame]7190 },
7191 Bugs: ProtocolBugs{
7192 IgnorePeerSignatureAlgorithmPreferences: true,
7193 },
7194 },
7195 shouldFail: true,
7196 expectedError: ":WRONG_SIGNATURE_TYPE:",
7197 })
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7198 testCases = append(testCases, testCase{
7199 testType: serverTest,
7200 name: "ClientAuth-Enforced-TLS13",
7201 config: Config{
7202 MaxVersion: VersionTLS13,
7203 Certificates: []Certificate{rsaCertificate},
7204 SignSignatureAlgorithms: []signatureAlgorithm{
7205 signatureRSAPKCS1WithMD5,
7206 },
7207 Bugs: ProtocolBugs{
7208 IgnorePeerSignatureAlgorithmPreferences: true,
7209 IgnoreSignatureVersionChecks: true,
7210 },
7211 },
7212 flags: []string{"-require-any-client-certificate"},
7213 shouldFail: true,
7214 expectedError: ":WRONG_SIGNATURE_TYPE:",
7215 })
7216
7217 testCases = append(testCases, testCase{
7218 name: "ServerAuth-Enforced-TLS13",
7219 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7220 MaxVersion: VersionTLS13,
David Benjaminb62d2872016-07-18 14:55:02 +0200[diff] [blame]7221 SignSignatureAlgorithms: []signatureAlgorithm{
7222 signatureRSAPKCS1WithMD5,
7223 },
7224 Bugs: ProtocolBugs{
7225 IgnorePeerSignatureAlgorithmPreferences: true,
7226 IgnoreSignatureVersionChecks: true,
7227 },
7228 },
7229 shouldFail: true,
7230 expectedError: ":WRONG_SIGNATURE_TYPE:",
7231 })
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7232
7233 // Test that the agreed upon digest respects the client preferences and
7234 // the server digests.
7235 testCases = append(testCases, testCase{
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7236 name: "NoCommonAlgorithms-Digests",
7237 config: Config{
7238 MaxVersion: VersionTLS12,
7239 ClientAuth: RequireAnyClientCert,
7240 VerifySignatureAlgorithms: []signatureAlgorithm{
7241 signatureRSAPKCS1WithSHA512,
7242 signatureRSAPKCS1WithSHA1,
7243 },
7244 },
7245 flags: []string{
7246 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7247 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7248 "-digest-prefs", "SHA256",
7249 },
7250 shouldFail: true,
7251 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7252 })
7253 testCases = append(testCases, testCase{
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7254 name: "NoCommonAlgorithms",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7255 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7256 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7257 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7258 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7259 signatureRSAPKCS1WithSHA512,
7260 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7261 },
7262 },
7263 flags: []string{
7264 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7265 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7266 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7267 },
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7268 shouldFail: true,
7269 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7270 })
7271 testCases = append(testCases, testCase{
7272 name: "NoCommonAlgorithms-TLS13",
7273 config: Config{
7274 MaxVersion: VersionTLS13,
7275 ClientAuth: RequireAnyClientCert,
7276 VerifySignatureAlgorithms: []signatureAlgorithm{
7277 signatureRSAPSSWithSHA512,
7278 signatureRSAPSSWithSHA384,
7279 },
7280 },
7281 flags: []string{
7282 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7283 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7284 "-signing-prefs", strconv.Itoa(int(signatureRSAPSSWithSHA256)),
7285 },
David Benjaminea9a0d52016-07-08 15:52:59 -0700[diff] [blame]7286 shouldFail: true,
7287 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7288 })
7289 testCases = append(testCases, testCase{
7290 name: "Agree-Digest-SHA256",
7291 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7292 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7293 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7294 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7295 signatureRSAPKCS1WithSHA1,
7296 signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7297 },
7298 },
7299 flags: []string{
7300 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7301 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7302 "-digest-prefs", "SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7303 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7304 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7305 })
7306 testCases = append(testCases, testCase{
7307 name: "Agree-Digest-SHA1",
7308 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7309 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7310 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7311 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7312 signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7313 },
7314 },
7315 flags: []string{
7316 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7317 "-key-file", path.Join(*resourceDir, rsaKeyFile),
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7318 "-digest-prefs", "SHA512,SHA256,SHA1",
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7319 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7320 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7321 })
7322 testCases = append(testCases, testCase{
7323 name: "Agree-Digest-Default",
7324 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7325 MaxVersion: VersionTLS12,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7326 ClientAuth: RequireAnyClientCert,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7327 VerifySignatureAlgorithms: []signatureAlgorithm{
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7328 signatureRSAPKCS1WithSHA256,
7329 signatureECDSAWithP256AndSHA256,
7330 signatureRSAPKCS1WithSHA1,
7331 signatureECDSAWithSHA1,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7332 },
7333 },
7334 flags: []string{
7335 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7336 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7337 },
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]7338 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
Steven Valdez0d62f262015-09-04 12:41:04 -0400[diff] [blame]7339 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7340
David Benjaminca3d5452016-07-14 12:51:01 -0400[diff] [blame]7341 // Test that the signing preference list may include extra algorithms
7342 // without negotiation problems.
7343 testCases = append(testCases, testCase{
7344 testType: serverTest,
7345 name: "FilterExtraAlgorithms",
7346 config: Config{
7347 MaxVersion: VersionTLS12,
7348 VerifySignatureAlgorithms: []signatureAlgorithm{
7349 signatureRSAPKCS1WithSHA256,
7350 },
7351 },
7352 flags: []string{
7353 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
7354 "-key-file", path.Join(*resourceDir, rsaKeyFile),
7355 "-signing-prefs", strconv.Itoa(int(fakeSigAlg1)),
7356 "-signing-prefs", strconv.Itoa(int(signatureECDSAWithP256AndSHA256)),
7357 "-signing-prefs", strconv.Itoa(int(signatureRSAPKCS1WithSHA256)),
7358 "-signing-prefs", strconv.Itoa(int(fakeSigAlg2)),
7359 },
7360 expectedPeerSignatureAlgorithm: signatureRSAPKCS1WithSHA256,
7361 })
7362
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7363 // In TLS 1.2 and below, ECDSA uses the curve list rather than the
7364 // signature algorithms.
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7365 testCases = append(testCases, testCase{
7366 name: "CheckLeafCurve",
7367 config: Config{
7368 MaxVersion: VersionTLS12,
7369 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]7370 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7371 },
7372 flags: []string{"-p384-only"},
7373 shouldFail: true,
7374 expectedError: ":BAD_ECC_CERT:",
7375 })
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7376
7377 // In TLS 1.3, ECDSA does not use the ECDHE curve list.
7378 testCases = append(testCases, testCase{
7379 name: "CheckLeafCurve-TLS13",
7380 config: Config{
7381 MaxVersion: VersionTLS13,
David Benjamin75ea5bb2016-07-08 17:43:29 -0700[diff] [blame]7382 Certificates: []Certificate{ecdsaP256Certificate},
7383 },
7384 flags: []string{"-p384-only"},
7385 })
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7386
7387 // In TLS 1.2, the ECDSA curve is not in the signature algorithm.
7388 testCases = append(testCases, testCase{
7389 name: "ECDSACurveMismatch-Verify-TLS12",
7390 config: Config{
7391 MaxVersion: VersionTLS12,
7392 CipherSuites: []uint16{TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256},
7393 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7394 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7395 signatureECDSAWithP384AndSHA384,
7396 },
7397 },
7398 })
7399
7400 // In TLS 1.3, the ECDSA curve comes from the signature algorithm.
7401 testCases = append(testCases, testCase{
7402 name: "ECDSACurveMismatch-Verify-TLS13",
7403 config: Config{
7404 MaxVersion: VersionTLS13,
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7405 Certificates: []Certificate{ecdsaP256Certificate},
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7406 SignSignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7407 signatureECDSAWithP384AndSHA384,
7408 },
7409 Bugs: ProtocolBugs{
7410 SkipECDSACurveCheck: true,
7411 },
7412 },
7413 shouldFail: true,
7414 expectedError: ":WRONG_SIGNATURE_TYPE:",
7415 })
7416
7417 // Signature algorithm selection in TLS 1.3 should take the curve into
7418 // account.
7419 testCases = append(testCases, testCase{
7420 testType: serverTest,
7421 name: "ECDSACurveMismatch-Sign-TLS13",
7422 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]7423 MaxVersion: VersionTLS13,
David Benjamin7a41d372016-07-09 11:21:54 -0700[diff] [blame]7424 VerifySignatureAlgorithms: []signatureAlgorithm{
David Benjamin1fb125c2016-07-08 18:52:12 -0700[diff] [blame]7425 signatureECDSAWithP384AndSHA384,
7426 signatureECDSAWithP256AndSHA256,
7427 },
7428 },
7429 flags: []string{
7430 "-cert-file", path.Join(*resourceDir, ecdsaP256CertificateFile),
7431 "-key-file", path.Join(*resourceDir, ecdsaP256KeyFile),
7432 },
7433 expectedPeerSignatureAlgorithm: signatureECDSAWithP256AndSHA256,
7434 })
David Benjamin7944a9f2016-07-12 22:27:01 -0400[diff] [blame]7435
7436 // RSASSA-PSS with SHA-512 is too large for 1024-bit RSA. Test that the
7437 // server does not attempt to sign in that case.
7438 testCases = append(testCases, testCase{
7439 testType: serverTest,
7440 name: "RSA-PSS-Large",
7441 config: Config{
7442 MaxVersion: VersionTLS13,
7443 VerifySignatureAlgorithms: []signatureAlgorithm{
7444 signatureRSAPSSWithSHA512,
7445 },
7446 },
7447 flags: []string{
7448 "-cert-file", path.Join(*resourceDir, rsa1024CertificateFile),
7449 "-key-file", path.Join(*resourceDir, rsa1024KeyFile),
7450 },
7451 shouldFail: true,
7452 expectedError: ":NO_COMMON_SIGNATURE_ALGORITHMS:",
7453 })
David Benjamin57e929f2016-08-30 00:30:38 -0400[diff] [blame]7454
7455 // Test that RSA-PSS is enabled by default for TLS 1.2.
7456 testCases = append(testCases, testCase{
7457 testType: clientTest,
7458 name: "RSA-PSS-Default-Verify",
7459 config: Config{
7460 MaxVersion: VersionTLS12,
7461 SignSignatureAlgorithms: []signatureAlgorithm{
7462 signatureRSAPSSWithSHA256,
7463 },
7464 },
7465 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7466 })
7467
7468 testCases = append(testCases, testCase{
7469 testType: serverTest,
7470 name: "RSA-PSS-Default-Sign",
7471 config: Config{
7472 MaxVersion: VersionTLS12,
7473 VerifySignatureAlgorithms: []signatureAlgorithm{
7474 signatureRSAPSSWithSHA256,
7475 },
7476 },
7477 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
7478 })
Adam Langley898be922017-02-27 12:37:59 -0800[diff] [blame]7479
7480 // A server certificate with a P-224 key will only work up to TLS 1.2
7481 // and we only test it with BoringSSL acting as a server because that's
7482 // all Alphabet requires with it.
7483 testCases = append(testCases, testCase{
7484 testType: serverTest,
7485 name: "P224-Server",
7486 config: Config{
7487 VerifySignatureAlgorithms: []signatureAlgorithm{
7488 // TLS 1.2 does not require that the curve
7489 // match the hash, thus P-256 with SHA-256 is
7490 // the same signature algorithm value as P-224
7491 // with SHA-256.
7492 signatureECDSAWithP256AndSHA256,
7493 },
7494 // P-256 must be offered as well because ECDHE requires
7495 // it.
7496 CurvePreferences: []CurveID{CurveP224, CurveP256},
7497 },
7498 flags: []string{
7499 "-max-version", strconv.Itoa(VersionTLS12),
7500 "-cert-file", path.Join(*resourceDir, ecdsaP224CertificateFile),
7501 "-key-file", path.Join(*resourceDir, ecdsaP224KeyFile),
7502 },
7503 })
David Benjamin000800a2014-11-14 01:43:59 -0500[diff] [blame]7504}
7505
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7506// timeouts is the retransmit schedule for BoringSSL. It doubles and
7507// caps at 60 seconds. On the 13th timeout, it gives up.
7508var timeouts = []time.Duration{
7509 1 * time.Second,
7510 2 * time.Second,
7511 4 * time.Second,
7512 8 * time.Second,
7513 16 * time.Second,
7514 32 * time.Second,
7515 60 * time.Second,
7516 60 * time.Second,
7517 60 * time.Second,
7518 60 * time.Second,
7519 60 * time.Second,
7520 60 * time.Second,
7521 60 * time.Second,
7522}
7523
Taylor Brandstetter376a0fe2016-05-10 19:30:28 -0700[diff] [blame]7524// shortTimeouts is an alternate set of timeouts which would occur if the
7525// initial timeout duration was set to 250ms.
7526var shortTimeouts = []time.Duration{
7527 250 * time.Millisecond,
7528 500 * time.Millisecond,
7529 1 * time.Second,
7530 2 * time.Second,
7531 4 * time.Second,
7532 8 * time.Second,
7533 16 * time.Second,
7534 32 * time.Second,
7535 60 * time.Second,
7536 60 * time.Second,
7537 60 * time.Second,
7538 60 * time.Second,
7539 60 * time.Second,
7540}
7541
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7542func addDTLSRetransmitTests() {
David Benjamin585d7a42016-06-02 14:58:00 -0400[diff] [blame]7543 // These tests work by coordinating some behavior on both the shim and
7544 // the runner.
7545 //
7546 // TimeoutSchedule configures the runner to send a series of timeout
7547 // opcodes to the shim (see packetAdaptor) immediately before reading
7548 // each peer handshake flight N. The timeout opcode both simulates a
7549 // timeout in the shim and acts as a synchronization point to help the
7550 // runner bracket each handshake flight.
7551 //
7552 // We assume the shim does not read from the channel eagerly. It must
7553 // first wait until it has sent flight N and is ready to receive
7554 // handshake flight N+1. At this point, it will process the timeout
7555 // opcode. It must then immediately respond with a timeout ACK and act
7556 // as if the shim was idle for the specified amount of time.
7557 //
7558 // The runner then drops all packets received before the ACK and
7559 // continues waiting for flight N. This ordering results in one attempt
7560 // at sending flight N to be dropped. For the test to complete, the
7561 // shim must send flight N again, testing that the shim implements DTLS
7562 // retransmit on a timeout.
7563
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7564 // TODO(davidben): Add DTLS 1.3 versions of these tests. There will
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7565 // likely be more epochs to cross and the final message's retransmit may
7566 // be more complex.
7567
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7568 // Test that this is indeed the timeout schedule. Stress all
7569 // four patterns of handshake.
7570 for i := 1; i < len(timeouts); i++ {
7571 number := strconv.Itoa(i)
7572 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7573 protocol: dtls,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7574 name: "DTLS-Retransmit-Client-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7575 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7576 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7577 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7578 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7579 },
7580 },
7581 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7582 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7583 })
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7584 testCases = append(testCases, testCase{
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7585 protocol: dtls,
7586 testType: serverTest,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7587 name: "DTLS-Retransmit-Server-" + number,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7588 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7589 MaxVersion: VersionTLS12,
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7590 Bugs: ProtocolBugs{
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7591 TimeoutSchedule: timeouts[:i],
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7592 },
7593 },
7594 resumeSession: true,
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7595 flags: []string{"-async"},
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7596 })
7597 }
David Benjamin11c82892017-02-23 20:40:31 -0500[diff] [blame]7598
7599 // Test that exceeding the timeout schedule hits a read
7600 // timeout.
7601 testCases = append(testCases, testCase{
7602 protocol: dtls,
7603 name: "DTLS-Retransmit-Timeout",
7604 config: Config{
7605 MaxVersion: VersionTLS12,
7606 Bugs: ProtocolBugs{
7607 TimeoutSchedule: timeouts,
7608 },
7609 },
7610 resumeSession: true,
7611 flags: []string{"-async"},
7612 shouldFail: true,
7613 expectedError: ":READ_TIMEOUT_EXPIRED:",
7614 })
7615
7616 // Test that timeout handling has a fudge factor, due to API
7617 // problems.
7618 testCases = append(testCases, testCase{
7619 protocol: dtls,
7620 name: "DTLS-Retransmit-Fudge",
7621 config: Config{
7622 MaxVersion: VersionTLS12,
7623 Bugs: ProtocolBugs{
7624 TimeoutSchedule: []time.Duration{
7625 timeouts[0] - 10*time.Millisecond,
7626 },
7627 },
7628 },
7629 resumeSession: true,
7630 flags: []string{"-async"},
7631 })
7632
7633 // Test that the final Finished retransmitting isn't
7634 // duplicated if the peer badly fragments everything.
7635 testCases = append(testCases, testCase{
7636 testType: serverTest,
7637 protocol: dtls,
7638 name: "DTLS-Retransmit-Fragmented",
7639 config: Config{
7640 MaxVersion: VersionTLS12,
7641 Bugs: ProtocolBugs{
7642 TimeoutSchedule: []time.Duration{timeouts[0]},
7643 MaxHandshakeRecordLength: 2,
7644 },
7645 },
7646 flags: []string{"-async"},
7647 })
7648
7649 // Test the timeout schedule when a shorter initial timeout duration is set.
7650 testCases = append(testCases, testCase{
7651 protocol: dtls,
7652 name: "DTLS-Retransmit-Short-Client",
7653 config: Config{
7654 MaxVersion: VersionTLS12,
7655 Bugs: ProtocolBugs{
7656 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7657 },
7658 },
7659 resumeSession: true,
7660 flags: []string{
7661 "-async",
7662 "-initial-timeout-duration-ms", "250",
7663 },
7664 })
7665 testCases = append(testCases, testCase{
7666 protocol: dtls,
7667 testType: serverTest,
7668 name: "DTLS-Retransmit-Short-Server",
7669 config: Config{
7670 MaxVersion: VersionTLS12,
7671 Bugs: ProtocolBugs{
7672 TimeoutSchedule: shortTimeouts[:len(shortTimeouts)-1],
7673 },
7674 },
7675 resumeSession: true,
7676 flags: []string{
7677 "-async",
7678 "-initial-timeout-duration-ms", "250",
7679 },
7680 })
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]7681}
7682
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7683func addExportKeyingMaterialTests() {
7684 for _, vers := range tlsVersions {
7685 if vers.version == VersionSSL30 {
7686 continue
7687 }
7688 testCases = append(testCases, testCase{
7689 name: "ExportKeyingMaterial-" + vers.name,
7690 config: Config{
7691 MaxVersion: vers.version,
7692 },
7693 exportKeyingMaterial: 1024,
7694 exportLabel: "label",
7695 exportContext: "context",
7696 useExportContext: true,
7697 })
7698 testCases = append(testCases, testCase{
7699 name: "ExportKeyingMaterial-NoContext-" + vers.name,
7700 config: Config{
7701 MaxVersion: vers.version,
7702 },
7703 exportKeyingMaterial: 1024,
7704 })
7705 testCases = append(testCases, testCase{
7706 name: "ExportKeyingMaterial-EmptyContext-" + vers.name,
7707 config: Config{
7708 MaxVersion: vers.version,
7709 },
7710 exportKeyingMaterial: 1024,
7711 useExportContext: true,
7712 })
7713 testCases = append(testCases, testCase{
7714 name: "ExportKeyingMaterial-Small-" + vers.name,
7715 config: Config{
7716 MaxVersion: vers.version,
7717 },
7718 exportKeyingMaterial: 1,
7719 exportLabel: "label",
7720 exportContext: "context",
7721 useExportContext: true,
7722 })
7723 }
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7724
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7725 testCases = append(testCases, testCase{
7726 name: "ExportKeyingMaterial-SSL3",
7727 config: Config{
7728 MaxVersion: VersionSSL30,
7729 },
7730 exportKeyingMaterial: 1024,
7731 exportLabel: "label",
7732 exportContext: "context",
7733 useExportContext: true,
7734 shouldFail: true,
7735 expectedError: "failed to export keying material",
7736 })
David Benjamin7bb1d292016-11-01 19:45:06 -0400[diff] [blame]7737
7738 // Exporters work during a False Start.
7739 testCases = append(testCases, testCase{
7740 name: "ExportKeyingMaterial-FalseStart",
7741 config: Config{
7742 MaxVersion: VersionTLS12,
7743 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
7744 NextProtos: []string{"foo"},
7745 Bugs: ProtocolBugs{
7746 ExpectFalseStart: true,
7747 },
7748 },
7749 flags: []string{
7750 "-false-start",
7751 "-advertise-alpn", "\x03foo",
7752 },
7753 shimWritesFirst: true,
7754 exportKeyingMaterial: 1024,
7755 exportLabel: "label",
7756 exportContext: "context",
7757 useExportContext: true,
7758 })
7759
7760 // Exporters do not work in the middle of a renegotiation. Test this by
7761 // triggering the exporter after every SSL_read call and configuring the
7762 // shim to run asynchronously.
7763 testCases = append(testCases, testCase{
7764 name: "ExportKeyingMaterial-Renegotiate",
7765 config: Config{
7766 MaxVersion: VersionTLS12,
7767 },
7768 renegotiate: 1,
7769 flags: []string{
7770 "-async",
7771 "-use-exporter-between-reads",
7772 "-renegotiate-freely",
7773 "-expect-total-renegotiations", "1",
7774 },
7775 shouldFail: true,
7776 expectedError: "failed to export keying material",
7777 })
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]7778}
7779
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7780func addTLSUniqueTests() {
7781 for _, isClient := range []bool{false, true} {
7782 for _, isResumption := range []bool{false, true} {
7783 for _, hasEMS := range []bool{false, true} {
7784 var suffix string
7785 if isResumption {
7786 suffix = "Resume-"
7787 } else {
7788 suffix = "Full-"
7789 }
7790
7791 if hasEMS {
7792 suffix += "EMS-"
7793 } else {
7794 suffix += "NoEMS-"
7795 }
7796
7797 if isClient {
7798 suffix += "Client"
7799 } else {
7800 suffix += "Server"
7801 }
7802
7803 test := testCase{
7804 name: "TLSUnique-" + suffix,
7805 testTLSUnique: true,
7806 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7807 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7808 Bugs: ProtocolBugs{
7809 NoExtendedMasterSecret: !hasEMS,
7810 },
7811 },
7812 }
7813
7814 if isResumption {
7815 test.resumeSession = true
7816 test.resumeConfig = &Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7817 MaxVersion: VersionTLS12,
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]7818 Bugs: ProtocolBugs{
7819 NoExtendedMasterSecret: !hasEMS,
7820 },
7821 }
7822 }
7823
7824 if isResumption && !hasEMS {
7825 test.shouldFail = true
7826 test.expectedError = "failed to get tls-unique"
7827 }
7828
7829 testCases = append(testCases, test)
7830 }
7831 }
7832 }
7833}
7834
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7835func addCustomExtensionTests() {
7836 expectedContents := "custom extension"
7837 emptyString := ""
7838
7839 for _, isClient := range []bool{false, true} {
7840 suffix := "Server"
7841 flag := "-enable-server-custom-extension"
7842 testType := serverTest
7843 if isClient {
7844 suffix = "Client"
7845 flag = "-enable-client-custom-extension"
7846 testType = clientTest
7847 }
7848
7849 testCases = append(testCases, testCase{
7850 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7851 name: "CustomExtensions-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7852 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7853 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7854 Bugs: ProtocolBugs{
7855 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7856 ExpectedCustomExtension: &expectedContents,
7857 },
7858 },
7859 flags: []string{flag},
7860 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7861 testCases = append(testCases, testCase{
7862 testType: testType,
7863 name: "CustomExtensions-" + suffix + "-TLS13",
7864 config: Config{
7865 MaxVersion: VersionTLS13,
7866 Bugs: ProtocolBugs{
7867 CustomExtension: expectedContents,
7868 ExpectedCustomExtension: &expectedContents,
7869 },
7870 },
7871 flags: []string{flag},
7872 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7873
7874 // If the parse callback fails, the handshake should also fail.
7875 testCases = append(testCases, testCase{
7876 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7877 name: "CustomExtensions-ParseError-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7878 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7879 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7880 Bugs: ProtocolBugs{
7881 CustomExtension: expectedContents + "foo",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7882 ExpectedCustomExtension: &expectedContents,
7883 },
7884 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7885 flags: []string{flag},
7886 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7887 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7888 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7889 testCases = append(testCases, testCase{
7890 testType: testType,
7891 name: "CustomExtensions-ParseError-" + suffix + "-TLS13",
7892 config: Config{
7893 MaxVersion: VersionTLS13,
7894 Bugs: ProtocolBugs{
7895 CustomExtension: expectedContents + "foo",
7896 ExpectedCustomExtension: &expectedContents,
7897 },
7898 },
7899 flags: []string{flag},
7900 shouldFail: true,
7901 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7902 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7903
7904 // If the add callback fails, the handshake should also fail.
7905 testCases = append(testCases, testCase{
7906 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7907 name: "CustomExtensions-FailAdd-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7908 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7909 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7910 Bugs: ProtocolBugs{
7911 CustomExtension: expectedContents,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7912 ExpectedCustomExtension: &expectedContents,
7913 },
7914 },
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7915 flags: []string{flag, "-custom-extension-fail-add"},
7916 shouldFail: true,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7917 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7918 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7919 testCases = append(testCases, testCase{
7920 testType: testType,
7921 name: "CustomExtensions-FailAdd-" + suffix + "-TLS13",
7922 config: Config{
7923 MaxVersion: VersionTLS13,
7924 Bugs: ProtocolBugs{
7925 CustomExtension: expectedContents,
7926 ExpectedCustomExtension: &expectedContents,
7927 },
7928 },
7929 flags: []string{flag, "-custom-extension-fail-add"},
7930 shouldFail: true,
7931 expectedError: ":CUSTOM_EXTENSION_ERROR:",
7932 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7933
7934 // If the add callback returns zero, no extension should be
7935 // added.
7936 skipCustomExtension := expectedContents
7937 if isClient {
7938 // For the case where the client skips sending the
7939 // custom extension, the server must not “echo” it.
7940 skipCustomExtension = ""
7941 }
7942 testCases = append(testCases, testCase{
7943 testType: testType,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7944 name: "CustomExtensions-Skip-" + suffix,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7945 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7946 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7947 Bugs: ProtocolBugs{
7948 CustomExtension: skipCustomExtension,
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7949 ExpectedCustomExtension: &emptyString,
7950 },
7951 },
7952 flags: []string{flag, "-custom-extension-skip"},
7953 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7954 testCases = append(testCases, testCase{
7955 testType: testType,
7956 name: "CustomExtensions-Skip-" + suffix + "-TLS13",
7957 config: Config{
7958 MaxVersion: VersionTLS13,
7959 Bugs: ProtocolBugs{
7960 CustomExtension: skipCustomExtension,
7961 ExpectedCustomExtension: &emptyString,
7962 },
7963 },
7964 flags: []string{flag, "-custom-extension-skip"},
7965 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7966 }
7967
7968 // The custom extension add callback should not be called if the client
7969 // doesn't send the extension.
7970 testCases = append(testCases, testCase{
7971 testType: serverTest,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7972 name: "CustomExtensions-NotCalled-Server",
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7973 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7974 MaxVersion: VersionTLS12,
David Benjamin399e7c92015-07-30 23:01:27 -0400[diff] [blame]7975 Bugs: ProtocolBugs{
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]7976 ExpectedCustomExtension: &emptyString,
7977 },
7978 },
7979 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7980 })
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7981
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]7982 testCases = append(testCases, testCase{
7983 testType: serverTest,
7984 name: "CustomExtensions-NotCalled-Server-TLS13",
7985 config: Config{
7986 MaxVersion: VersionTLS13,
7987 Bugs: ProtocolBugs{
7988 ExpectedCustomExtension: &emptyString,
7989 },
7990 },
7991 flags: []string{"-enable-server-custom-extension", "-custom-extension-fail-add"},
7992 })
7993
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]7994 // Test an unknown extension from the server.
7995 testCases = append(testCases, testCase{
7996 testType: clientTest,
7997 name: "UnknownExtension-Client",
7998 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]7999 MaxVersion: VersionTLS12,
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8000 Bugs: ProtocolBugs{
8001 CustomExtension: expectedContents,
8002 },
8003 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8004 shouldFail: true,
8005 expectedError: ":UNEXPECTED_EXTENSION:",
8006 expectedLocalError: "remote error: unsupported extension",
Adam Langley2deb9842015-08-07 11:15:37 -0700[diff] [blame]8007 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8008 testCases = append(testCases, testCase{
8009 testType: clientTest,
8010 name: "UnknownExtension-Client-TLS13",
8011 config: Config{
8012 MaxVersion: VersionTLS13,
8013 Bugs: ProtocolBugs{
8014 CustomExtension: expectedContents,
8015 },
8016 },
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8017 shouldFail: true,
8018 expectedError: ":UNEXPECTED_EXTENSION:",
8019 expectedLocalError: "remote error: unsupported extension",
8020 })
David Benjamin490469f2016-10-05 22:44:38 -0400[diff] [blame]8021 testCases = append(testCases, testCase{
8022 testType: clientTest,
8023 name: "UnknownUnencryptedExtension-Client-TLS13",
8024 config: Config{
8025 MaxVersion: VersionTLS13,
8026 Bugs: ProtocolBugs{
8027 CustomUnencryptedExtension: expectedContents,
8028 },
8029 },
8030 shouldFail: true,
8031 expectedError: ":UNEXPECTED_EXTENSION:",
8032 // The shim must send an alert, but alerts at this point do not
8033 // get successfully decrypted by the runner.
8034 expectedLocalError: "local error: bad record MAC",
8035 })
8036 testCases = append(testCases, testCase{
8037 testType: clientTest,
8038 name: "UnexpectedUnencryptedExtension-Client-TLS13",
8039 config: Config{
8040 MaxVersion: VersionTLS13,
8041 Bugs: ProtocolBugs{
8042 SendUnencryptedALPN: "foo",
8043 },
8044 },
8045 flags: []string{
8046 "-advertise-alpn", "\x03foo\x03bar",
8047 },
8048 shouldFail: true,
8049 expectedError: ":UNEXPECTED_EXTENSION:",
8050 // The shim must send an alert, but alerts at this point do not
8051 // get successfully decrypted by the runner.
8052 expectedLocalError: "local error: bad record MAC",
8053 })
David Benjamin0c40a962016-08-01 12:05:50 -0400[diff] [blame]8054
8055 // Test a known but unoffered extension from the server.
8056 testCases = append(testCases, testCase{
8057 testType: clientTest,
8058 name: "UnofferedExtension-Client",
8059 config: Config{
8060 MaxVersion: VersionTLS12,
8061 Bugs: ProtocolBugs{
8062 SendALPN: "alpn",
8063 },
8064 },
8065 shouldFail: true,
8066 expectedError: ":UNEXPECTED_EXTENSION:",
8067 expectedLocalError: "remote error: unsupported extension",
8068 })
8069 testCases = append(testCases, testCase{
8070 testType: clientTest,
8071 name: "UnofferedExtension-Client-TLS13",
8072 config: Config{
8073 MaxVersion: VersionTLS13,
8074 Bugs: ProtocolBugs{
8075 SendALPN: "alpn",
8076 },
8077 },
8078 shouldFail: true,
8079 expectedError: ":UNEXPECTED_EXTENSION:",
8080 expectedLocalError: "remote error: unsupported extension",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8081 })
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]8082}
8083
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8084func addRSAClientKeyExchangeTests() {
8085 for bad := RSABadValue(1); bad < NumRSABadValues; bad++ {
8086 testCases = append(testCases, testCase{
8087 testType: serverTest,
8088 name: fmt.Sprintf("BadRSAClientKeyExchange-%d", bad),
8089 config: Config{
8090 // Ensure the ClientHello version and final
8091 // version are different, to detect if the
8092 // server uses the wrong one.
8093 MaxVersion: VersionTLS11,
Matt Braithwaite07e78062016-08-21 14:50:43 -0700[diff] [blame]8094 CipherSuites: []uint16{TLS_RSA_WITH_3DES_EDE_CBC_SHA},
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8095 Bugs: ProtocolBugs{
8096 BadRSAClientKeyExchange: bad,
8097 },
8098 },
8099 shouldFail: true,
8100 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8101 })
8102 }
David Benjamine63d9d72016-09-19 18:27:34 -0400[diff] [blame]8103
8104 // The server must compare whatever was in ClientHello.version for the
8105 // RSA premaster.
8106 testCases = append(testCases, testCase{
8107 testType: serverTest,
8108 name: "SendClientVersion-RSA",
8109 config: Config{
8110 CipherSuites: []uint16{TLS_RSA_WITH_AES_128_GCM_SHA256},
8111 Bugs: ProtocolBugs{
8112 SendClientVersion: 0x1234,
8113 },
8114 },
8115 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
8116 })
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]8117}
8118
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8119var testCurves = []struct {
8120 name string
8121 id CurveID
8122}{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8123 {"P-256", CurveP256},
8124 {"P-384", CurveP384},
8125 {"P-521", CurveP521},
David Benjamin4298d772015-12-19 00:18:25 -0500[diff] [blame]8126 {"X25519", CurveX25519},
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8127}
8128
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8129const bogusCurve = 0x1234
8130
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8131func addCurveTests() {
8132 for _, curve := range testCurves {
8133 testCases = append(testCases, testCase{
8134 name: "CurveTest-Client-" + curve.name,
8135 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8136 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8137 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8138 CurvePreferences: []CurveID{curve.id},
8139 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8140 flags: []string{
8141 "-enable-all-curves",
8142 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8143 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8144 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8145 })
8146 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8147 name: "CurveTest-Client-" + curve.name + "-TLS13",
8148 config: Config{
8149 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8150 CurvePreferences: []CurveID{curve.id},
8151 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8152 flags: []string{
8153 "-enable-all-curves",
8154 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8155 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8156 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8157 })
8158 testCases = append(testCases, testCase{
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8159 testType: serverTest,
8160 name: "CurveTest-Server-" + curve.name,
8161 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8162 MaxVersion: VersionTLS12,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8163 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8164 CurvePreferences: []CurveID{curve.id},
8165 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8166 flags: []string{
8167 "-enable-all-curves",
8168 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8169 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8170 expectedCurveID: curve.id,
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8171 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8172 testCases = append(testCases, testCase{
8173 testType: serverTest,
8174 name: "CurveTest-Server-" + curve.name + "-TLS13",
8175 config: Config{
8176 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8177 CurvePreferences: []CurveID{curve.id},
8178 },
David Benjamin5c4e8572016-08-19 17:44:53 -0400[diff] [blame]8179 flags: []string{
8180 "-enable-all-curves",
8181 "-expect-curve-id", strconv.Itoa(int(curve.id)),
8182 },
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]8183 expectedCurveID: curve.id,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8184 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8185 }
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8186
8187 // The server must be tolerant to bogus curves.
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8188 testCases = append(testCases, testCase{
8189 testType: serverTest,
8190 name: "UnknownCurve",
8191 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8192 MaxVersion: VersionTLS12,
David Benjamin241ae832016-01-15 03:04:54 -0500[diff] [blame]8193 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8194 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8195 },
8196 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8197
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8198 // The server must be tolerant to bogus curves.
8199 testCases = append(testCases, testCase{
8200 testType: serverTest,
8201 name: "UnknownCurve-TLS13",
8202 config: Config{
8203 MaxVersion: VersionTLS13,
8204 CurvePreferences: []CurveID{bogusCurve, CurveP256},
8205 },
8206 })
8207
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8208 // The server must not consider ECDHE ciphers when there are no
8209 // supported curves.
8210 testCases = append(testCases, testCase{
8211 testType: serverTest,
8212 name: "NoSupportedCurves",
8213 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8214 MaxVersion: VersionTLS12,
8215 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8216 Bugs: ProtocolBugs{
8217 NoSupportedCurves: true,
8218 },
8219 },
8220 shouldFail: true,
8221 expectedError: ":NO_SHARED_CIPHER:",
8222 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8223 testCases = append(testCases, testCase{
8224 testType: serverTest,
8225 name: "NoSupportedCurves-TLS13",
8226 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8227 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8228 Bugs: ProtocolBugs{
8229 NoSupportedCurves: true,
8230 },
8231 },
8232 shouldFail: true,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8233 expectedError: ":NO_SHARED_GROUP:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8234 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8235
8236 // The server must fall back to another cipher when there are no
8237 // supported curves.
8238 testCases = append(testCases, testCase{
8239 testType: serverTest,
8240 name: "NoCommonCurves",
8241 config: Config{
8242 MaxVersion: VersionTLS12,
8243 CipherSuites: []uint16{
8244 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8245 TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8246 },
8247 CurvePreferences: []CurveID{CurveP224},
8248 },
Matthew Braithwaitecedc6f12017-03-15 19:20:23 -0700[diff] [blame]8249 expectedCipher: TLS_RSA_WITH_AES_128_GCM_SHA256,
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8250 })
8251
8252 // The client must reject bogus curves and disabled curves.
8253 testCases = append(testCases, testCase{
8254 name: "BadECDHECurve",
8255 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8256 MaxVersion: VersionTLS12,
8257 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8258 Bugs: ProtocolBugs{
8259 SendCurve: bogusCurve,
8260 },
8261 },
8262 shouldFail: true,
8263 expectedError: ":WRONG_CURVE:",
8264 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8265 testCases = append(testCases, testCase{
8266 name: "BadECDHECurve-TLS13",
8267 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8268 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8269 Bugs: ProtocolBugs{
8270 SendCurve: bogusCurve,
8271 },
8272 },
8273 shouldFail: true,
8274 expectedError: ":WRONG_CURVE:",
8275 })
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8276
8277 testCases = append(testCases, testCase{
8278 name: "UnsupportedCurve",
8279 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8280 MaxVersion: VersionTLS12,
8281 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8282 CurvePreferences: []CurveID{CurveP256},
8283 Bugs: ProtocolBugs{
8284 IgnorePeerCurvePreferences: true,
8285 },
8286 },
8287 flags: []string{"-p384-only"},
8288 shouldFail: true,
8289 expectedError: ":WRONG_CURVE:",
8290 })
8291
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8292 testCases = append(testCases, testCase{
8293 // TODO(davidben): Add a TLS 1.3 version where
8294 // HelloRetryRequest requests an unsupported curve.
8295 name: "UnsupportedCurve-ServerHello-TLS13",
8296 config: Config{
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]8297 MaxVersion: VersionTLS13,
David Benjamin4f921572016-07-17 14:20:10 +0200[diff] [blame]8298 CurvePreferences: []CurveID{CurveP384},
8299 Bugs: ProtocolBugs{
8300 SendCurve: CurveP256,
8301 },
8302 },
8303 flags: []string{"-p384-only"},
8304 shouldFail: true,
8305 expectedError: ":WRONG_CURVE:",
8306 })
8307
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8308 // Test invalid curve points.
8309 testCases = append(testCases, testCase{
8310 name: "InvalidECDHPoint-Client",
8311 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8312 MaxVersion: VersionTLS12,
8313 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8314 CurvePreferences: []CurveID{CurveP256},
8315 Bugs: ProtocolBugs{
8316 InvalidECDHPoint: true,
8317 },
8318 },
8319 shouldFail: true,
8320 expectedError: ":INVALID_ENCODING:",
8321 })
8322 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8323 name: "InvalidECDHPoint-Client-TLS13",
8324 config: Config{
8325 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8326 CurvePreferences: []CurveID{CurveP256},
8327 Bugs: ProtocolBugs{
8328 InvalidECDHPoint: true,
8329 },
8330 },
8331 shouldFail: true,
8332 expectedError: ":INVALID_ENCODING:",
8333 })
8334 testCases = append(testCases, testCase{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8335 testType: serverTest,
8336 name: "InvalidECDHPoint-Server",
8337 config: Config{
David Benjamin4c3ddf72016-06-29 18:13:53 -0400[diff] [blame]8338 MaxVersion: VersionTLS12,
8339 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8340 CurvePreferences: []CurveID{CurveP256},
8341 Bugs: ProtocolBugs{
8342 InvalidECDHPoint: true,
8343 },
8344 },
8345 shouldFail: true,
8346 expectedError: ":INVALID_ENCODING:",
8347 })
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8348 testCases = append(testCases, testCase{
8349 testType: serverTest,
8350 name: "InvalidECDHPoint-Server-TLS13",
8351 config: Config{
8352 MaxVersion: VersionTLS13,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8353 CurvePreferences: []CurveID{CurveP256},
8354 Bugs: ProtocolBugs{
8355 InvalidECDHPoint: true,
8356 },
8357 },
8358 shouldFail: true,
8359 expectedError: ":INVALID_ENCODING:",
8360 })
David Benjamin8a55ce42016-12-11 03:03:42 -0500[diff] [blame]8361
8362 // The previous curve ID should be reported on TLS 1.2 resumption.
8363 testCases = append(testCases, testCase{
8364 name: "CurveID-Resume-Client",
8365 config: Config{
8366 MaxVersion: VersionTLS12,
8367 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8368 CurvePreferences: []CurveID{CurveX25519},
8369 },
8370 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8371 resumeSession: true,
8372 })
8373 testCases = append(testCases, testCase{
8374 testType: serverTest,
8375 name: "CurveID-Resume-Server",
8376 config: Config{
8377 MaxVersion: VersionTLS12,
8378 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
8379 CurvePreferences: []CurveID{CurveX25519},
8380 },
8381 flags: []string{"-expect-curve-id", strconv.Itoa(int(CurveX25519))},
8382 resumeSession: true,
8383 })
8384
8385 // TLS 1.3 allows resuming at a differet curve. If this happens, the new
8386 // one should be reported.
8387 testCases = append(testCases, testCase{
8388 name: "CurveID-Resume-Client-TLS13",
8389 config: Config{
8390 MaxVersion: VersionTLS13,
8391 CurvePreferences: []CurveID{CurveX25519},
8392 },
8393 resumeConfig: &Config{
8394 MaxVersion: VersionTLS13,
8395 CurvePreferences: []CurveID{CurveP256},
8396 },
8397 flags: []string{
8398 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8399 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8400 },
8401 resumeSession: true,
8402 })
8403 testCases = append(testCases, testCase{
8404 testType: serverTest,
8405 name: "CurveID-Resume-Server-TLS13",
8406 config: Config{
8407 MaxVersion: VersionTLS13,
8408 CurvePreferences: []CurveID{CurveX25519},
8409 },
8410 resumeConfig: &Config{
8411 MaxVersion: VersionTLS13,
8412 CurvePreferences: []CurveID{CurveP256},
8413 },
8414 flags: []string{
8415 "-expect-curve-id", strconv.Itoa(int(CurveX25519)),
8416 "-expect-resume-curve-id", strconv.Itoa(int(CurveP256)),
8417 },
8418 resumeSession: true,
8419 })
David Benjamina81967b2016-12-22 09:16:57 -0500[diff] [blame]8420
8421 // Server-sent point formats are legal in TLS 1.2, but not in TLS 1.3.
8422 testCases = append(testCases, testCase{
8423 name: "PointFormat-ServerHello-TLS12",
8424 config: Config{
8425 MaxVersion: VersionTLS12,
8426 Bugs: ProtocolBugs{
8427 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8428 },
8429 },
8430 })
8431 testCases = append(testCases, testCase{
8432 name: "PointFormat-EncryptedExtensions-TLS13",
8433 config: Config{
8434 MaxVersion: VersionTLS13,
8435 Bugs: ProtocolBugs{
8436 SendSupportedPointFormats: []byte{pointFormatUncompressed},
8437 },
8438 },
8439 shouldFail: true,
8440 expectedError: ":ERROR_PARSING_EXTENSION:",
8441 })
8442
8443 // Test that we tolerate unknown point formats, as long as
8444 // pointFormatUncompressed is present. Limit ciphers to ECDHE ciphers to
8445 // check they are still functional.
8446 testCases = append(testCases, testCase{
8447 name: "PointFormat-Client-Tolerance",
8448 config: Config{
8449 MaxVersion: VersionTLS12,
8450 Bugs: ProtocolBugs{
8451 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8452 },
8453 },
8454 })
8455 testCases = append(testCases, testCase{
8456 testType: serverTest,
8457 name: "PointFormat-Server-Tolerance",
8458 config: Config{
8459 MaxVersion: VersionTLS12,
8460 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8461 Bugs: ProtocolBugs{
8462 SendSupportedPointFormats: []byte{42, pointFormatUncompressed, 99, pointFormatCompressedPrime},
8463 },
8464 },
8465 })
8466
8467 // Test TLS 1.2 does not require the point format extension to be
8468 // present.
8469 testCases = append(testCases, testCase{
8470 name: "PointFormat-Client-Missing",
8471 config: Config{
8472 MaxVersion: VersionTLS12,
8473 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8474 Bugs: ProtocolBugs{
8475 SendSupportedPointFormats: []byte{},
8476 },
8477 },
8478 })
8479 testCases = append(testCases, testCase{
8480 testType: serverTest,
8481 name: "PointFormat-Server-Missing",
8482 config: Config{
8483 MaxVersion: VersionTLS12,
8484 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256},
8485 Bugs: ProtocolBugs{
8486 SendSupportedPointFormats: []byte{},
8487 },
8488 },
8489 })
8490
8491 // If the point format extension is present, uncompressed points must be
8492 // offered. BoringSSL requires this whether or not ECDHE is used.
8493 testCases = append(testCases, testCase{
8494 name: "PointFormat-Client-MissingUncompressed",
8495 config: Config{
8496 MaxVersion: VersionTLS12,
8497 Bugs: ProtocolBugs{
8498 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8499 },
8500 },
8501 shouldFail: true,
8502 expectedError: ":ERROR_PARSING_EXTENSION:",
8503 })
8504 testCases = append(testCases, testCase{
8505 testType: serverTest,
8506 name: "PointFormat-Server-MissingUncompressed",
8507 config: Config{
8508 MaxVersion: VersionTLS12,
8509 Bugs: ProtocolBugs{
8510 SendSupportedPointFormats: []byte{pointFormatCompressedPrime},
8511 },
8512 },
8513 shouldFail: true,
8514 expectedError: ":ERROR_PARSING_EXTENSION:",
8515 })
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]8516}
8517
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]8518func addTLS13RecordTests() {
8519 testCases = append(testCases, testCase{
8520 name: "TLS13-RecordPadding",
8521 config: Config{
8522 MaxVersion: VersionTLS13,
8523 MinVersion: VersionTLS13,
8524 Bugs: ProtocolBugs{
8525 RecordPadding: 10,
8526 },
8527 },
8528 })
8529
8530 testCases = append(testCases, testCase{
8531 name: "TLS13-EmptyRecords",
8532 config: Config{
8533 MaxVersion: VersionTLS13,
8534 MinVersion: VersionTLS13,
8535 Bugs: ProtocolBugs{
8536 OmitRecordContents: true,
8537 },
8538 },
8539 shouldFail: true,
8540 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8541 })
8542
8543 testCases = append(testCases, testCase{
8544 name: "TLS13-OnlyPadding",
8545 config: Config{
8546 MaxVersion: VersionTLS13,
8547 MinVersion: VersionTLS13,
8548 Bugs: ProtocolBugs{
8549 OmitRecordContents: true,
8550 RecordPadding: 10,
8551 },
8552 },
8553 shouldFail: true,
8554 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
8555 })
8556
8557 testCases = append(testCases, testCase{
8558 name: "TLS13-WrongOuterRecord",
8559 config: Config{
8560 MaxVersion: VersionTLS13,
8561 MinVersion: VersionTLS13,
8562 Bugs: ProtocolBugs{
8563 OuterRecordType: recordTypeHandshake,
8564 },
8565 },
8566 shouldFail: true,
8567 expectedError: ":INVALID_OUTER_RECORD_TYPE:",
8568 })
8569}
8570
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8571func addSessionTicketTests() {
8572 testCases = append(testCases, testCase{
8573 // In TLS 1.2 and below, empty NewSessionTicket messages
8574 // mean the server changed its mind on sending a ticket.
8575 name: "SendEmptySessionTicket",
8576 config: Config{
8577 MaxVersion: VersionTLS12,
8578 Bugs: ProtocolBugs{
8579 SendEmptySessionTicket: true,
8580 },
8581 },
8582 flags: []string{"-expect-no-session"},
8583 })
8584
8585 // Test that the server ignores unknown PSK modes.
8586 testCases = append(testCases, testCase{
8587 testType: serverTest,
8588 name: "TLS13-SendUnknownModeSessionTicket-Server",
8589 config: Config{
8590 MaxVersion: VersionTLS13,
8591 Bugs: ProtocolBugs{
8592 SendPSKKeyExchangeModes: []byte{0x1a, pskDHEKEMode, 0x2a},
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8593 },
8594 },
8595 resumeSession: true,
8596 expectedResumeVersion: VersionTLS13,
8597 })
8598
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8599 // Test that the server does not send session tickets with no matching key exchange mode.
8600 testCases = append(testCases, testCase{
8601 testType: serverTest,
8602 name: "TLS13-ExpectNoSessionTicketOnBadKEMode-Server",
8603 config: Config{
8604 MaxVersion: VersionTLS13,
8605 Bugs: ProtocolBugs{
8606 SendPSKKeyExchangeModes: []byte{0x1a},
8607 ExpectNoNewSessionTicket: true,
8608 },
8609 },
8610 })
8611
8612 // Test that the server does not accept a session with no matching key exchange mode.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8613 testCases = append(testCases, testCase{
8614 testType: serverTest,
8615 name: "TLS13-SendBadKEModeSessionTicket-Server",
8616 config: Config{
8617 MaxVersion: VersionTLS13,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8618 },
8619 resumeConfig: &Config{
8620 MaxVersion: VersionTLS13,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8621 Bugs: ProtocolBugs{
8622 SendPSKKeyExchangeModes: []byte{0x1a},
8623 },
8624 },
8625 resumeSession: true,
8626 expectResumeRejected: true,
8627 })
8628
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8629 // Test that the client ticket age is sent correctly.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8630 testCases = append(testCases, testCase{
8631 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8632 name: "TLS13-TestValidTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8633 config: Config{
8634 MaxVersion: VersionTLS13,
8635 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8636 ExpectTicketAge: 10 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8637 },
8638 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8639 resumeSession: true,
8640 flags: []string{
8641 "-resumption-delay", "10",
8642 },
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8643 })
8644
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8645 // Test that the client ticket age is enforced.
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8646 testCases = append(testCases, testCase{
8647 testType: clientTest,
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8648 name: "TLS13-TestBadTicketAge-Client",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8649 config: Config{
8650 MaxVersion: VersionTLS13,
8651 Bugs: ProtocolBugs{
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8652 ExpectTicketAge: 1000 * time.Second,
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8653 },
8654 },
Steven Valdeza833c352016-11-01 13:39:36 -0400[diff] [blame]8655 resumeSession: true,
8656 shouldFail: true,
8657 expectedLocalError: "tls: invalid ticket age",
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8658 })
8659
David Benjamin35ac5b72017-03-03 15:05:56 -0500[diff] [blame]8660 // Test that the server's ticket age skew reporting works.
8661 testCases = append(testCases, testCase{
8662 testType: serverTest,
8663 name: "TLS13-TicketAgeSkew-Forward",
8664 config: Config{
8665 MaxVersion: VersionTLS13,
8666 Bugs: ProtocolBugs{
8667 SendTicketAge: 15 * time.Second,
8668 },
8669 },
8670 resumeSession: true,
8671 flags: []string{
8672 "-resumption-delay", "10",
8673 "-expect-ticket-age-skew", "5",
8674 },
8675 })
8676 testCases = append(testCases, testCase{
8677 testType: serverTest,
8678 name: "TLS13-TicketAgeSkew-Backward",
8679 config: Config{
8680 MaxVersion: VersionTLS13,
8681 Bugs: ProtocolBugs{
8682 SendTicketAge: 5 * time.Second,
8683 },
8684 },
8685 resumeSession: true,
8686 flags: []string{
8687 "-resumption-delay", "10",
8688 "-expect-ticket-age-skew", "-5",
8689 },
8690 })
8691
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8692 testCases = append(testCases, testCase{
8693 testType: clientTest,
8694 name: "TLS13-SendTicketEarlyDataInfo",
8695 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8696 MaxVersion: VersionTLS13,
8697 MaxEarlyDataSize: 16384,
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8698 },
8699 flags: []string{
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8700 "-enable-early-data",
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8701 "-expect-early-data-info",
8702 },
8703 })
8704
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8705 // Test that 0-RTT tickets are ignored in clients unless opted in.
8706 testCases = append(testCases, testCase{
8707 testType: clientTest,
8708 name: "TLS13-SendTicketEarlyDataInfo-Disabled",
8709 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8710 MaxVersion: VersionTLS13,
8711 MaxEarlyDataSize: 16384,
David Benjamin9b160662017-01-25 19:53:43 -0500[diff] [blame]8712 },
8713 })
8714
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8715 testCases = append(testCases, testCase{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8716 testType: clientTest,
8717 name: "TLS13-DuplicateTicketEarlyDataInfo",
8718 config: Config{
Nick Harperab20cec2016-12-19 17:38:41 -0800[diff] [blame]8719 MaxVersion: VersionTLS13,
8720 MaxEarlyDataSize: 16384,
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8721 Bugs: ProtocolBugs{
David Benjamin9c33ae82017-01-08 06:04:43 -0500[diff] [blame]8722 DuplicateTicketEarlyDataInfo: true,
8723 },
8724 },
8725 shouldFail: true,
8726 expectedError: ":DUPLICATE_EXTENSION:",
8727 expectedLocalError: "remote error: illegal parameter",
8728 })
8729
8730 testCases = append(testCases, testCase{
Steven Valdez08b65f42016-12-07 15:29:45 -0500[diff] [blame]8731 testType: serverTest,
8732 name: "TLS13-ExpectTicketEarlyDataInfo",
8733 config: Config{
8734 MaxVersion: VersionTLS13,
8735 Bugs: ProtocolBugs{
8736 ExpectTicketEarlyDataInfo: true,
8737 },
8738 },
8739 flags: []string{
8740 "-enable-early-data",
8741 },
8742 })
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8743
8744 // Test that, in TLS 1.3, the server-offered NewSessionTicket lifetime
8745 // is honored.
8746 testCases = append(testCases, testCase{
8747 testType: clientTest,
8748 name: "TLS13-HonorServerSessionTicketLifetime",
8749 config: Config{
8750 MaxVersion: VersionTLS13,
8751 Bugs: ProtocolBugs{
8752 SendTicketLifetime: 20 * time.Second,
8753 },
8754 },
8755 flags: []string{
8756 "-resumption-delay", "19",
8757 },
8758 resumeSession: true,
8759 })
8760 testCases = append(testCases, testCase{
8761 testType: clientTest,
8762 name: "TLS13-HonorServerSessionTicketLifetime-2",
8763 config: Config{
8764 MaxVersion: VersionTLS13,
8765 Bugs: ProtocolBugs{
8766 SendTicketLifetime: 20 * time.Second,
8767 // The client should not offer the expired session.
8768 ExpectNoTLS13PSK: true,
8769 },
8770 },
8771 flags: []string{
8772 "-resumption-delay", "21",
8773 },
David Benjamin023d4192017-02-06 13:49:07 -0500[diff] [blame]8774 resumeSession: true,
David Benjamin17b30832017-01-28 14:00:32 -0500[diff] [blame]8775 expectResumeRejected: true,
8776 })
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]8777}
8778
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8779func addChangeCipherSpecTests() {
8780 // Test missing ChangeCipherSpecs.
8781 testCases = append(testCases, testCase{
8782 name: "SkipChangeCipherSpec-Client",
8783 config: Config{
8784 MaxVersion: VersionTLS12,
8785 Bugs: ProtocolBugs{
8786 SkipChangeCipherSpec: true,
8787 },
8788 },
8789 shouldFail: true,
8790 expectedError: ":UNEXPECTED_RECORD:",
8791 })
8792 testCases = append(testCases, testCase{
8793 testType: serverTest,
8794 name: "SkipChangeCipherSpec-Server",
8795 config: Config{
8796 MaxVersion: VersionTLS12,
8797 Bugs: ProtocolBugs{
8798 SkipChangeCipherSpec: true,
8799 },
8800 },
8801 shouldFail: true,
8802 expectedError: ":UNEXPECTED_RECORD:",
8803 })
8804 testCases = append(testCases, testCase{
8805 testType: serverTest,
8806 name: "SkipChangeCipherSpec-Server-NPN",
8807 config: Config{
8808 MaxVersion: VersionTLS12,
8809 NextProtos: []string{"bar"},
8810 Bugs: ProtocolBugs{
8811 SkipChangeCipherSpec: true,
8812 },
8813 },
8814 flags: []string{
8815 "-advertise-npn", "\x03foo\x03bar\x03baz",
8816 },
8817 shouldFail: true,
8818 expectedError: ":UNEXPECTED_RECORD:",
8819 })
8820
8821 // Test synchronization between the handshake and ChangeCipherSpec.
8822 // Partial post-CCS handshake messages before ChangeCipherSpec should be
8823 // rejected. Test both with and without handshake packing to handle both
8824 // when the partial post-CCS message is in its own record and when it is
8825 // attached to the pre-CCS message.
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8826 for _, packed := range []bool{false, true} {
8827 var suffix string
8828 if packed {
8829 suffix = "-Packed"
8830 }
8831
8832 testCases = append(testCases, testCase{
8833 name: "FragmentAcrossChangeCipherSpec-Client" + suffix,
8834 config: Config{
8835 MaxVersion: VersionTLS12,
8836 Bugs: ProtocolBugs{
8837 FragmentAcrossChangeCipherSpec: true,
8838 PackHandshakeFlight: packed,
8839 },
8840 },
8841 shouldFail: true,
8842 expectedError: ":UNEXPECTED_RECORD:",
8843 })
8844 testCases = append(testCases, testCase{
8845 name: "FragmentAcrossChangeCipherSpec-Client-Resume" + suffix,
8846 config: Config{
8847 MaxVersion: VersionTLS12,
8848 },
8849 resumeSession: true,
8850 resumeConfig: &Config{
8851 MaxVersion: VersionTLS12,
8852 Bugs: ProtocolBugs{
8853 FragmentAcrossChangeCipherSpec: true,
8854 PackHandshakeFlight: packed,
8855 },
8856 },
8857 shouldFail: true,
8858 expectedError: ":UNEXPECTED_RECORD:",
8859 })
8860 testCases = append(testCases, testCase{
8861 testType: serverTest,
8862 name: "FragmentAcrossChangeCipherSpec-Server" + suffix,
8863 config: Config{
8864 MaxVersion: VersionTLS12,
8865 Bugs: ProtocolBugs{
8866 FragmentAcrossChangeCipherSpec: true,
8867 PackHandshakeFlight: packed,
8868 },
8869 },
8870 shouldFail: true,
8871 expectedError: ":UNEXPECTED_RECORD:",
8872 })
8873 testCases = append(testCases, testCase{
8874 testType: serverTest,
8875 name: "FragmentAcrossChangeCipherSpec-Server-Resume" + suffix,
8876 config: Config{
8877 MaxVersion: VersionTLS12,
8878 },
8879 resumeSession: true,
8880 resumeConfig: &Config{
8881 MaxVersion: VersionTLS12,
8882 Bugs: ProtocolBugs{
8883 FragmentAcrossChangeCipherSpec: true,
8884 PackHandshakeFlight: packed,
8885 },
8886 },
8887 shouldFail: true,
8888 expectedError: ":UNEXPECTED_RECORD:",
8889 })
8890 testCases = append(testCases, testCase{
8891 testType: serverTest,
8892 name: "FragmentAcrossChangeCipherSpec-Server-NPN" + suffix,
8893 config: Config{
8894 MaxVersion: VersionTLS12,
8895 NextProtos: []string{"bar"},
8896 Bugs: ProtocolBugs{
8897 FragmentAcrossChangeCipherSpec: true,
8898 PackHandshakeFlight: packed,
8899 },
8900 },
8901 flags: []string{
8902 "-advertise-npn", "\x03foo\x03bar\x03baz",
8903 },
8904 shouldFail: true,
8905 expectedError: ":UNEXPECTED_RECORD:",
8906 })
8907 }
8908
David Benjamin61672812016-07-14 23:10:43 -0400[diff] [blame]8909 // Test that, in DTLS, ChangeCipherSpec is not allowed when there are
8910 // messages in the handshake queue. Do this by testing the server
8911 // reading the client Finished, reversing the flight so Finished comes
8912 // first.
8913 testCases = append(testCases, testCase{
8914 protocol: dtls,
8915 testType: serverTest,
8916 name: "SendUnencryptedFinished-DTLS",
8917 config: Config{
8918 MaxVersion: VersionTLS12,
8919 Bugs: ProtocolBugs{
8920 SendUnencryptedFinished: true,
8921 ReverseHandshakeFragments: true,
8922 },
8923 },
8924 shouldFail: true,
8925 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8926 })
8927
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]8928 // Test synchronization between encryption changes and the handshake in
8929 // TLS 1.3, where ChangeCipherSpec is implicit.
8930 testCases = append(testCases, testCase{
8931 name: "PartialEncryptedExtensionsWithServerHello",
8932 config: Config{
8933 MaxVersion: VersionTLS13,
8934 Bugs: ProtocolBugs{
8935 PartialEncryptedExtensionsWithServerHello: true,
8936 },
8937 },
8938 shouldFail: true,
8939 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8940 })
8941 testCases = append(testCases, testCase{
8942 testType: serverTest,
8943 name: "PartialClientFinishedWithClientHello",
8944 config: Config{
8945 MaxVersion: VersionTLS13,
8946 Bugs: ProtocolBugs{
8947 PartialClientFinishedWithClientHello: true,
8948 },
8949 },
8950 shouldFail: true,
8951 expectedError: ":BUFFERED_MESSAGES_ON_CIPHER_CHANGE:",
8952 })
8953
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]8954 // Test that early ChangeCipherSpecs are handled correctly.
8955 testCases = append(testCases, testCase{
8956 testType: serverTest,
8957 name: "EarlyChangeCipherSpec-server-1",
8958 config: Config{
8959 MaxVersion: VersionTLS12,
8960 Bugs: ProtocolBugs{
8961 EarlyChangeCipherSpec: 1,
8962 },
8963 },
8964 shouldFail: true,
8965 expectedError: ":UNEXPECTED_RECORD:",
8966 })
8967 testCases = append(testCases, testCase{
8968 testType: serverTest,
8969 name: "EarlyChangeCipherSpec-server-2",
8970 config: Config{
8971 MaxVersion: VersionTLS12,
8972 Bugs: ProtocolBugs{
8973 EarlyChangeCipherSpec: 2,
8974 },
8975 },
8976 shouldFail: true,
8977 expectedError: ":UNEXPECTED_RECORD:",
8978 })
8979 testCases = append(testCases, testCase{
8980 protocol: dtls,
8981 name: "StrayChangeCipherSpec",
8982 config: Config{
8983 // TODO(davidben): Once DTLS 1.3 exists, test
8984 // that stray ChangeCipherSpec messages are
8985 // rejected.
8986 MaxVersion: VersionTLS12,
8987 Bugs: ProtocolBugs{
8988 StrayChangeCipherSpec: true,
8989 },
8990 },
8991 })
8992
8993 // Test that the contents of ChangeCipherSpec are checked.
8994 testCases = append(testCases, testCase{
8995 name: "BadChangeCipherSpec-1",
8996 config: Config{
8997 MaxVersion: VersionTLS12,
8998 Bugs: ProtocolBugs{
8999 BadChangeCipherSpec: []byte{2},
9000 },
9001 },
9002 shouldFail: true,
9003 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9004 })
9005 testCases = append(testCases, testCase{
9006 name: "BadChangeCipherSpec-2",
9007 config: Config{
9008 MaxVersion: VersionTLS12,
9009 Bugs: ProtocolBugs{
9010 BadChangeCipherSpec: []byte{1, 1},
9011 },
9012 },
9013 shouldFail: true,
9014 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9015 })
9016 testCases = append(testCases, testCase{
9017 protocol: dtls,
9018 name: "BadChangeCipherSpec-DTLS-1",
9019 config: Config{
9020 MaxVersion: VersionTLS12,
9021 Bugs: ProtocolBugs{
9022 BadChangeCipherSpec: []byte{2},
9023 },
9024 },
9025 shouldFail: true,
9026 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9027 })
9028 testCases = append(testCases, testCase{
9029 protocol: dtls,
9030 name: "BadChangeCipherSpec-DTLS-2",
9031 config: Config{
9032 MaxVersion: VersionTLS12,
9033 Bugs: ProtocolBugs{
9034 BadChangeCipherSpec: []byte{1, 1},
9035 },
9036 },
9037 shouldFail: true,
9038 expectedError: ":BAD_CHANGE_CIPHER_SPEC:",
9039 })
9040}
9041
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9042type perMessageTest struct {
9043 messageType uint8
9044 test testCase
9045}
9046
9047// makePerMessageTests returns a series of test templates which cover each
9048// message in the TLS handshake. These may be used with bugs like
9049// WrongMessageType to fully test a per-message bug.
9050func makePerMessageTests() []perMessageTest {
9051 var ret []perMessageTest
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9052 for _, protocol := range []protocol{tls, dtls} {
9053 var suffix string
9054 if protocol == dtls {
9055 suffix = "-DTLS"
9056 }
9057
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9058 ret = append(ret, perMessageTest{
9059 messageType: typeClientHello,
9060 test: testCase{
9061 protocol: protocol,
9062 testType: serverTest,
9063 name: "ClientHello" + suffix,
9064 config: Config{
9065 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9066 },
9067 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9068 })
9069
9070 if protocol == dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9071 ret = append(ret, perMessageTest{
9072 messageType: typeHelloVerifyRequest,
9073 test: testCase{
9074 protocol: protocol,
9075 name: "HelloVerifyRequest" + suffix,
9076 config: Config{
9077 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9078 },
9079 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9080 })
9081 }
9082
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9083 ret = append(ret, perMessageTest{
9084 messageType: typeServerHello,
9085 test: testCase{
9086 protocol: protocol,
9087 name: "ServerHello" + suffix,
9088 config: Config{
9089 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9090 },
9091 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9092 })
9093
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9094 ret = append(ret, perMessageTest{
9095 messageType: typeCertificate,
9096 test: testCase{
9097 protocol: protocol,
9098 name: "ServerCertificate" + suffix,
9099 config: Config{
9100 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9101 },
9102 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9103 })
9104
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9105 ret = append(ret, perMessageTest{
9106 messageType: typeCertificateStatus,
9107 test: testCase{
9108 protocol: protocol,
9109 name: "CertificateStatus" + suffix,
9110 config: Config{
9111 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9112 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9113 flags: []string{"-enable-ocsp-stapling"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9114 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9115 })
9116
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9117 ret = append(ret, perMessageTest{
9118 messageType: typeServerKeyExchange,
9119 test: testCase{
9120 protocol: protocol,
9121 name: "ServerKeyExchange" + suffix,
9122 config: Config{
9123 MaxVersion: VersionTLS12,
9124 CipherSuites: []uint16{TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9125 },
9126 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9127 })
9128
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9129 ret = append(ret, perMessageTest{
9130 messageType: typeCertificateRequest,
9131 test: testCase{
9132 protocol: protocol,
9133 name: "CertificateRequest" + suffix,
9134 config: Config{
9135 MaxVersion: VersionTLS12,
9136 ClientAuth: RequireAnyClientCert,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9137 },
9138 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9139 })
9140
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9141 ret = append(ret, perMessageTest{
9142 messageType: typeServerHelloDone,
9143 test: testCase{
9144 protocol: protocol,
9145 name: "ServerHelloDone" + suffix,
9146 config: Config{
9147 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9148 },
9149 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9150 })
9151
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9152 ret = append(ret, perMessageTest{
9153 messageType: typeCertificate,
9154 test: testCase{
9155 testType: serverTest,
9156 protocol: protocol,
9157 name: "ClientCertificate" + suffix,
9158 config: Config{
9159 Certificates: []Certificate{rsaCertificate},
9160 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9161 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9162 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9163 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9164 })
9165
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9166 ret = append(ret, perMessageTest{
9167 messageType: typeCertificateVerify,
9168 test: testCase{
9169 testType: serverTest,
9170 protocol: protocol,
9171 name: "CertificateVerify" + suffix,
9172 config: Config{
9173 Certificates: []Certificate{rsaCertificate},
9174 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9175 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9176 flags: []string{"-require-any-client-certificate"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9177 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9178 })
9179
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9180 ret = append(ret, perMessageTest{
9181 messageType: typeClientKeyExchange,
9182 test: testCase{
9183 testType: serverTest,
9184 protocol: protocol,
9185 name: "ClientKeyExchange" + suffix,
9186 config: Config{
9187 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9188 },
9189 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9190 })
9191
9192 if protocol != dtls {
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9193 ret = append(ret, perMessageTest{
9194 messageType: typeNextProtocol,
9195 test: testCase{
9196 testType: serverTest,
9197 protocol: protocol,
9198 name: "NextProtocol" + suffix,
9199 config: Config{
9200 MaxVersion: VersionTLS12,
9201 NextProtos: []string{"bar"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9202 },
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9203 flags: []string{"-advertise-npn", "\x03foo\x03bar\x03baz"},
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9204 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9205 })
9206
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9207 ret = append(ret, perMessageTest{
9208 messageType: typeChannelID,
9209 test: testCase{
9210 testType: serverTest,
9211 protocol: protocol,
9212 name: "ChannelID" + suffix,
9213 config: Config{
9214 MaxVersion: VersionTLS12,
9215 ChannelID: channelIDKey,
9216 },
9217 flags: []string{
9218 "-expect-channel-id",
9219 base64.StdEncoding.EncodeToString(channelIDBytes),
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9220 },
9221 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9222 })
9223 }
9224
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9225 ret = append(ret, perMessageTest{
9226 messageType: typeFinished,
9227 test: testCase{
9228 testType: serverTest,
9229 protocol: protocol,
9230 name: "ClientFinished" + suffix,
9231 config: Config{
9232 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9233 },
9234 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9235 })
9236
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9237 ret = append(ret, perMessageTest{
9238 messageType: typeNewSessionTicket,
9239 test: testCase{
9240 protocol: protocol,
9241 name: "NewSessionTicket" + suffix,
9242 config: Config{
9243 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9244 },
9245 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9246 })
9247
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9248 ret = append(ret, perMessageTest{
9249 messageType: typeFinished,
9250 test: testCase{
9251 protocol: protocol,
9252 name: "ServerFinished" + suffix,
9253 config: Config{
9254 MaxVersion: VersionTLS12,
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9255 },
9256 },
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9257 })
9258
9259 }
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9260
9261 ret = append(ret, perMessageTest{
9262 messageType: typeClientHello,
9263 test: testCase{
9264 testType: serverTest,
9265 name: "TLS13-ClientHello",
9266 config: Config{
9267 MaxVersion: VersionTLS13,
9268 },
9269 },
9270 })
9271
9272 ret = append(ret, perMessageTest{
9273 messageType: typeServerHello,
9274 test: testCase{
9275 name: "TLS13-ServerHello",
9276 config: Config{
9277 MaxVersion: VersionTLS13,
9278 },
9279 },
9280 })
9281
9282 ret = append(ret, perMessageTest{
9283 messageType: typeEncryptedExtensions,
9284 test: testCase{
9285 name: "TLS13-EncryptedExtensions",
9286 config: Config{
9287 MaxVersion: VersionTLS13,
9288 },
9289 },
9290 })
9291
9292 ret = append(ret, perMessageTest{
9293 messageType: typeCertificateRequest,
9294 test: testCase{
9295 name: "TLS13-CertificateRequest",
9296 config: Config{
9297 MaxVersion: VersionTLS13,
9298 ClientAuth: RequireAnyClientCert,
9299 },
9300 },
9301 })
9302
9303 ret = append(ret, perMessageTest{
9304 messageType: typeCertificate,
9305 test: testCase{
9306 name: "TLS13-ServerCertificate",
9307 config: Config{
9308 MaxVersion: VersionTLS13,
9309 },
9310 },
9311 })
9312
9313 ret = append(ret, perMessageTest{
9314 messageType: typeCertificateVerify,
9315 test: testCase{
9316 name: "TLS13-ServerCertificateVerify",
9317 config: Config{
9318 MaxVersion: VersionTLS13,
9319 },
9320 },
9321 })
9322
9323 ret = append(ret, perMessageTest{
9324 messageType: typeFinished,
9325 test: testCase{
9326 name: "TLS13-ServerFinished",
9327 config: Config{
9328 MaxVersion: VersionTLS13,
9329 },
9330 },
9331 })
9332
9333 ret = append(ret, perMessageTest{
9334 messageType: typeCertificate,
9335 test: testCase{
9336 testType: serverTest,
9337 name: "TLS13-ClientCertificate",
9338 config: Config{
9339 Certificates: []Certificate{rsaCertificate},
9340 MaxVersion: VersionTLS13,
9341 },
9342 flags: []string{"-require-any-client-certificate"},
9343 },
9344 })
9345
9346 ret = append(ret, perMessageTest{
9347 messageType: typeCertificateVerify,
9348 test: testCase{
9349 testType: serverTest,
9350 name: "TLS13-ClientCertificateVerify",
9351 config: Config{
9352 Certificates: []Certificate{rsaCertificate},
9353 MaxVersion: VersionTLS13,
9354 },
9355 flags: []string{"-require-any-client-certificate"},
9356 },
9357 })
9358
9359 ret = append(ret, perMessageTest{
9360 messageType: typeFinished,
9361 test: testCase{
9362 testType: serverTest,
9363 name: "TLS13-ClientFinished",
9364 config: Config{
9365 MaxVersion: VersionTLS13,
9366 },
9367 },
9368 })
9369
9370 return ret
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]9371}
9372
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9373func addWrongMessageTypeTests() {
9374 for _, t := range makePerMessageTests() {
9375 t.test.name = "WrongMessageType-" + t.test.name
9376 t.test.config.Bugs.SendWrongMessageType = t.messageType
9377 t.test.shouldFail = true
9378 t.test.expectedError = ":UNEXPECTED_MESSAGE:"
9379 t.test.expectedLocalError = "remote error: unexpected message"
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9380
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9381 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9382 // In TLS 1.3, a bad ServerHello means the client sends
9383 // an unencrypted alert while the server expects
9384 // encryption, so the alert is not readable by runner.
9385 t.test.expectedLocalError = "local error: bad record MAC"
9386 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9387
David Benjamincd2c8062016-09-09 11:28:16 -0400[diff] [blame]9388 testCases = append(testCases, t.test)
9389 }
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9390}
9391
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]9392func addTrailingMessageDataTests() {
9393 for _, t := range makePerMessageTests() {
9394 t.test.name = "TrailingMessageData-" + t.test.name
9395 t.test.config.Bugs.SendTrailingMessageData = t.messageType
9396 t.test.shouldFail = true
9397 t.test.expectedError = ":DECODE_ERROR:"
9398 t.test.expectedLocalError = "remote error: error decoding message"
9399
9400 if t.test.config.MaxVersion >= VersionTLS13 && t.messageType == typeServerHello {
9401 // In TLS 1.3, a bad ServerHello means the client sends
9402 // an unencrypted alert while the server expects
9403 // encryption, so the alert is not readable by runner.
9404 t.test.expectedLocalError = "local error: bad record MAC"
9405 }
9406
9407 if t.messageType == typeFinished {
9408 // Bad Finished messages read as the verify data having
9409 // the wrong length.
9410 t.test.expectedError = ":DIGEST_CHECK_FAILED:"
9411 t.test.expectedLocalError = "remote error: error decrypting message"
9412 }
9413
9414 testCases = append(testCases, t.test)
9415 }
9416}
9417
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9418func addTLS13HandshakeTests() {
9419 testCases = append(testCases, testCase{
9420 testType: clientTest,
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9421 name: "NegotiatePSKResumption-TLS13",
9422 config: Config{
9423 MaxVersion: VersionTLS13,
9424 Bugs: ProtocolBugs{
9425 NegotiatePSKResumption: true,
9426 },
9427 },
9428 resumeSession: true,
9429 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9430 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez803c77a2016-09-06 14:13:43 -0400[diff] [blame]9431 })
9432
9433 testCases = append(testCases, testCase{
9434 testType: clientTest,
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9435 name: "MissingKeyShare-Client",
9436 config: Config{
9437 MaxVersion: VersionTLS13,
9438 Bugs: ProtocolBugs{
9439 MissingKeyShare: true,
9440 },
9441 },
9442 shouldFail: true,
David Benjamindb5bd722016-12-08 18:21:27 -0500[diff] [blame]9443 expectedError: ":MISSING_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9444 })
9445
9446 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9447 testType: serverTest,
9448 name: "MissingKeyShare-Server",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9449 config: Config{
9450 MaxVersion: VersionTLS13,
9451 Bugs: ProtocolBugs{
9452 MissingKeyShare: true,
9453 },
9454 },
9455 shouldFail: true,
9456 expectedError: ":MISSING_KEY_SHARE:",
9457 })
9458
9459 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9460 testType: serverTest,
9461 name: "DuplicateKeyShares",
9462 config: Config{
9463 MaxVersion: VersionTLS13,
9464 Bugs: ProtocolBugs{
9465 DuplicateKeyShares: true,
9466 },
9467 },
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9468 shouldFail: true,
9469 expectedError: ":DUPLICATE_KEY_SHARE:",
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9470 })
9471
9472 testCases = append(testCases, testCase{
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9473 testType: serverTest,
9474 name: "SkipEarlyData",
9475 config: Config{
9476 MaxVersion: VersionTLS13,
9477 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9478 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9479 },
9480 },
9481 })
9482
9483 testCases = append(testCases, testCase{
9484 testType: serverTest,
9485 name: "SkipEarlyData-OmitEarlyDataExtension",
9486 config: Config{
9487 MaxVersion: VersionTLS13,
9488 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9489 SendFakeEarlyDataLength: 4,
9490 OmitEarlyDataExtension: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9491 },
9492 },
9493 shouldFail: true,
9494 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9495 })
9496
9497 testCases = append(testCases, testCase{
9498 testType: serverTest,
9499 name: "SkipEarlyData-TooMuchData",
9500 config: Config{
9501 MaxVersion: VersionTLS13,
9502 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9503 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9504 },
9505 },
9506 shouldFail: true,
9507 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9508 })
9509
9510 testCases = append(testCases, testCase{
9511 testType: serverTest,
9512 name: "SkipEarlyData-Interleaved",
9513 config: Config{
9514 MaxVersion: VersionTLS13,
9515 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9516 SendFakeEarlyDataLength: 4,
9517 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9518 },
9519 },
9520 shouldFail: true,
9521 expectedError: ":DECRYPTION_FAILED_OR_BAD_RECORD_MAC:",
9522 })
9523
9524 testCases = append(testCases, testCase{
9525 testType: serverTest,
9526 name: "SkipEarlyData-EarlyDataInTLS12",
9527 config: Config{
9528 MaxVersion: VersionTLS13,
9529 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9530 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9531 },
9532 },
9533 shouldFail: true,
9534 expectedError: ":UNEXPECTED_RECORD:",
9535 flags: []string{"-max-version", strconv.Itoa(VersionTLS12)},
9536 })
9537
9538 testCases = append(testCases, testCase{
9539 testType: serverTest,
9540 name: "SkipEarlyData-HRR",
9541 config: Config{
9542 MaxVersion: VersionTLS13,
9543 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9544 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9545 },
9546 DefaultCurves: []CurveID{},
9547 },
9548 })
9549
9550 testCases = append(testCases, testCase{
9551 testType: serverTest,
9552 name: "SkipEarlyData-HRR-Interleaved",
9553 config: Config{
9554 MaxVersion: VersionTLS13,
9555 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9556 SendFakeEarlyDataLength: 4,
9557 InterleaveEarlyData: true,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9558 },
9559 DefaultCurves: []CurveID{},
9560 },
9561 shouldFail: true,
9562 expectedError: ":UNEXPECTED_RECORD:",
9563 })
9564
9565 testCases = append(testCases, testCase{
9566 testType: serverTest,
9567 name: "SkipEarlyData-HRR-TooMuchData",
9568 config: Config{
9569 MaxVersion: VersionTLS13,
9570 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9571 SendFakeEarlyDataLength: 16384 + 1,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9572 },
9573 DefaultCurves: []CurveID{},
9574 },
9575 shouldFail: true,
9576 expectedError: ":TOO_MUCH_SKIPPED_EARLY_DATA:",
9577 })
9578
9579 // Test that skipping early data looking for cleartext correctly
9580 // processes an alert record.
9581 testCases = append(testCases, testCase{
9582 testType: serverTest,
9583 name: "SkipEarlyData-HRR-FatalAlert",
9584 config: Config{
9585 MaxVersion: VersionTLS13,
9586 Bugs: ProtocolBugs{
Nick Harperf2511f12016-12-06 16:02:31 -0800[diff] [blame]9587 SendEarlyAlert: true,
9588 SendFakeEarlyDataLength: 4,
Steven Valdeza4ee74d2016-11-29 13:36:45 -0500[diff] [blame]9589 },
9590 DefaultCurves: []CurveID{},
9591 },
9592 shouldFail: true,
9593 expectedError: ":SSLV3_ALERT_HANDSHAKE_FAILURE:",
9594 })
9595
9596 testCases = append(testCases, testCase{
9597 testType: serverTest,
9598 name: "SkipEarlyData-SecondClientHelloEarlyData",
9599 config: Config{
9600 MaxVersion: VersionTLS13,
9601 Bugs: ProtocolBugs{
9602 SendEarlyDataOnSecondClientHello: true,
9603 },
9604 DefaultCurves: []CurveID{},
9605 },
9606 shouldFail: true,
9607 expectedLocalError: "remote error: bad record MAC",
9608 })
9609
9610 testCases = append(testCases, testCase{
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]9611 testType: clientTest,
9612 name: "EmptyEncryptedExtensions",
9613 config: Config{
9614 MaxVersion: VersionTLS13,
9615 Bugs: ProtocolBugs{
9616 EmptyEncryptedExtensions: true,
9617 },
9618 },
9619 shouldFail: true,
9620 expectedLocalError: "remote error: error decoding message",
9621 })
9622
9623 testCases = append(testCases, testCase{
9624 testType: clientTest,
9625 name: "EncryptedExtensionsWithKeyShare",
9626 config: Config{
9627 MaxVersion: VersionTLS13,
9628 Bugs: ProtocolBugs{
9629 EncryptedExtensionsWithKeyShare: true,
9630 },
9631 },
9632 shouldFail: true,
9633 expectedLocalError: "remote error: unsupported extension",
9634 })
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9635
9636 testCases = append(testCases, testCase{
9637 testType: serverTest,
9638 name: "SendHelloRetryRequest",
9639 config: Config{
9640 MaxVersion: VersionTLS13,
9641 // Require a HelloRetryRequest for every curve.
9642 DefaultCurves: []CurveID{},
9643 },
9644 expectedCurveID: CurveX25519,
9645 })
9646
9647 testCases = append(testCases, testCase{
9648 testType: serverTest,
9649 name: "SendHelloRetryRequest-2",
9650 config: Config{
9651 MaxVersion: VersionTLS13,
9652 DefaultCurves: []CurveID{CurveP384},
9653 },
9654 // Although the ClientHello did not predict our preferred curve,
9655 // we always select it whether it is predicted or not.
9656 expectedCurveID: CurveX25519,
9657 })
9658
9659 testCases = append(testCases, testCase{
9660 name: "UnknownCurve-HelloRetryRequest",
9661 config: Config{
9662 MaxVersion: VersionTLS13,
9663 // P-384 requires HelloRetryRequest in BoringSSL.
9664 CurvePreferences: []CurveID{CurveP384},
9665 Bugs: ProtocolBugs{
9666 SendHelloRetryRequestCurve: bogusCurve,
9667 },
9668 },
9669 shouldFail: true,
9670 expectedError: ":WRONG_CURVE:",
9671 })
9672
9673 testCases = append(testCases, testCase{
9674 name: "DisabledCurve-HelloRetryRequest",
9675 config: Config{
9676 MaxVersion: VersionTLS13,
9677 CurvePreferences: []CurveID{CurveP256},
9678 Bugs: ProtocolBugs{
9679 IgnorePeerCurvePreferences: true,
9680 },
9681 },
9682 flags: []string{"-p384-only"},
9683 shouldFail: true,
9684 expectedError: ":WRONG_CURVE:",
9685 })
9686
9687 testCases = append(testCases, testCase{
9688 name: "UnnecessaryHelloRetryRequest",
9689 config: Config{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9690 MaxVersion: VersionTLS13,
9691 CurvePreferences: []CurveID{CurveX25519},
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9692 Bugs: ProtocolBugs{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9693 SendHelloRetryRequestCurve: CurveX25519,
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9694 },
9695 },
9696 shouldFail: true,
9697 expectedError: ":WRONG_CURVE:",
9698 })
9699
9700 testCases = append(testCases, testCase{
9701 name: "SecondHelloRetryRequest",
9702 config: Config{
9703 MaxVersion: VersionTLS13,
9704 // P-384 requires HelloRetryRequest in BoringSSL.
9705 CurvePreferences: []CurveID{CurveP384},
9706 Bugs: ProtocolBugs{
9707 SecondHelloRetryRequest: true,
9708 },
9709 },
9710 shouldFail: true,
9711 expectedError: ":UNEXPECTED_MESSAGE:",
9712 })
9713
9714 testCases = append(testCases, testCase{
David Benjamin3baa6e12016-10-07 21:10:38 -0400[diff] [blame]9715 name: "HelloRetryRequest-Empty",
9716 config: Config{
9717 MaxVersion: VersionTLS13,
9718 Bugs: ProtocolBugs{
9719 AlwaysSendHelloRetryRequest: true,
9720 },
9721 },
9722 shouldFail: true,
9723 expectedError: ":DECODE_ERROR:",
9724 })
9725
9726 testCases = append(testCases, testCase{
9727 name: "HelloRetryRequest-DuplicateCurve",
9728 config: Config{
9729 MaxVersion: VersionTLS13,
9730 // P-384 requires a HelloRetryRequest against BoringSSL's default
9731 // configuration. Assert this ExpectMissingKeyShare.
9732 CurvePreferences: []CurveID{CurveP384},
9733 Bugs: ProtocolBugs{
9734 ExpectMissingKeyShare: true,
9735 DuplicateHelloRetryRequestExtensions: true,
9736 },
9737 },
9738 shouldFail: true,
9739 expectedError: ":DUPLICATE_EXTENSION:",
9740 expectedLocalError: "remote error: illegal parameter",
9741 })
9742
9743 testCases = append(testCases, testCase{
9744 name: "HelloRetryRequest-Cookie",
9745 config: Config{
9746 MaxVersion: VersionTLS13,
9747 Bugs: ProtocolBugs{
9748 SendHelloRetryRequestCookie: []byte("cookie"),
9749 },
9750 },
9751 })
9752
9753 testCases = append(testCases, testCase{
9754 name: "HelloRetryRequest-DuplicateCookie",
9755 config: Config{
9756 MaxVersion: VersionTLS13,
9757 Bugs: ProtocolBugs{
9758 SendHelloRetryRequestCookie: []byte("cookie"),
9759 DuplicateHelloRetryRequestExtensions: true,
9760 },
9761 },
9762 shouldFail: true,
9763 expectedError: ":DUPLICATE_EXTENSION:",
9764 expectedLocalError: "remote error: illegal parameter",
9765 })
9766
9767 testCases = append(testCases, testCase{
9768 name: "HelloRetryRequest-EmptyCookie",
9769 config: Config{
9770 MaxVersion: VersionTLS13,
9771 Bugs: ProtocolBugs{
9772 SendHelloRetryRequestCookie: []byte{},
9773 },
9774 },
9775 shouldFail: true,
9776 expectedError: ":DECODE_ERROR:",
9777 })
9778
9779 testCases = append(testCases, testCase{
9780 name: "HelloRetryRequest-Cookie-Curve",
9781 config: Config{
9782 MaxVersion: VersionTLS13,
9783 // P-384 requires HelloRetryRequest in BoringSSL.
9784 CurvePreferences: []CurveID{CurveP384},
9785 Bugs: ProtocolBugs{
9786 SendHelloRetryRequestCookie: []byte("cookie"),
9787 ExpectMissingKeyShare: true,
9788 },
9789 },
9790 })
9791
9792 testCases = append(testCases, testCase{
9793 name: "HelloRetryRequest-Unknown",
9794 config: Config{
9795 MaxVersion: VersionTLS13,
9796 Bugs: ProtocolBugs{
9797 CustomHelloRetryRequestExtension: "extension",
9798 },
9799 },
9800 shouldFail: true,
9801 expectedError: ":UNEXPECTED_EXTENSION:",
9802 expectedLocalError: "remote error: unsupported extension",
9803 })
9804
9805 testCases = append(testCases, testCase{
Steven Valdez5440fe02016-07-18 12:40:30 -0400[diff] [blame]9806 testType: serverTest,
9807 name: "SecondClientHelloMissingKeyShare",
9808 config: Config{
9809 MaxVersion: VersionTLS13,
9810 DefaultCurves: []CurveID{},
9811 Bugs: ProtocolBugs{
9812 SecondClientHelloMissingKeyShare: true,
9813 },
9814 },
9815 shouldFail: true,
9816 expectedError: ":MISSING_KEY_SHARE:",
9817 })
9818
9819 testCases = append(testCases, testCase{
9820 testType: serverTest,
9821 name: "SecondClientHelloWrongCurve",
9822 config: Config{
9823 MaxVersion: VersionTLS13,
9824 DefaultCurves: []CurveID{},
9825 Bugs: ProtocolBugs{
9826 MisinterpretHelloRetryRequestCurve: CurveP521,
9827 },
9828 },
9829 shouldFail: true,
9830 expectedError: ":WRONG_CURVE:",
9831 })
9832
9833 testCases = append(testCases, testCase{
9834 name: "HelloRetryRequestVersionMismatch",
9835 config: Config{
9836 MaxVersion: VersionTLS13,
9837 // P-384 requires HelloRetryRequest in BoringSSL.
9838 CurvePreferences: []CurveID{CurveP384},
9839 Bugs: ProtocolBugs{
9840 SendServerHelloVersion: 0x0305,
9841 },
9842 },
9843 shouldFail: true,
9844 expectedError: ":WRONG_VERSION_NUMBER:",
9845 })
9846
9847 testCases = append(testCases, testCase{
9848 name: "HelloRetryRequestCurveMismatch",
9849 config: Config{
9850 MaxVersion: VersionTLS13,
9851 // P-384 requires HelloRetryRequest in BoringSSL.
9852 CurvePreferences: []CurveID{CurveP384},
9853 Bugs: ProtocolBugs{
9854 // Send P-384 (correct) in the HelloRetryRequest.
9855 SendHelloRetryRequestCurve: CurveP384,
9856 // But send P-256 in the ServerHello.
9857 SendCurve: CurveP256,
9858 },
9859 },
9860 shouldFail: true,
9861 expectedError: ":WRONG_CURVE:",
9862 })
9863
9864 // Test the server selecting a curve that requires a HelloRetryRequest
9865 // without sending it.
9866 testCases = append(testCases, testCase{
9867 name: "SkipHelloRetryRequest",
9868 config: Config{
9869 MaxVersion: VersionTLS13,
9870 // P-384 requires HelloRetryRequest in BoringSSL.
9871 CurvePreferences: []CurveID{CurveP384},
9872 Bugs: ProtocolBugs{
9873 SkipHelloRetryRequest: true,
9874 },
9875 },
9876 shouldFail: true,
9877 expectedError: ":WRONG_CURVE:",
9878 })
David Benjamin8a8349b2016-08-18 02:32:23 -0400[diff] [blame]9879
9880 testCases = append(testCases, testCase{
9881 name: "TLS13-RequestContextInHandshake",
9882 config: Config{
9883 MaxVersion: VersionTLS13,
9884 MinVersion: VersionTLS13,
9885 ClientAuth: RequireAnyClientCert,
9886 Bugs: ProtocolBugs{
9887 SendRequestContext: []byte("request context"),
9888 },
9889 },
9890 flags: []string{
9891 "-cert-file", path.Join(*resourceDir, rsaCertificateFile),
9892 "-key-file", path.Join(*resourceDir, rsaKeyFile),
9893 },
9894 shouldFail: true,
9895 expectedError: ":DECODE_ERROR:",
9896 })
David Benjamin7e1f9842016-09-20 19:24:40 -0400[diff] [blame]9897
9898 testCases = append(testCases, testCase{
9899 testType: serverTest,
9900 name: "TLS13-TrailingKeyShareData",
9901 config: Config{
9902 MaxVersion: VersionTLS13,
9903 Bugs: ProtocolBugs{
9904 TrailingKeyShareData: true,
9905 },
9906 },
9907 shouldFail: true,
9908 expectedError: ":DECODE_ERROR:",
9909 })
David Benjamin7f78df42016-10-05 22:33:19 -0400[diff] [blame]9910
9911 testCases = append(testCases, testCase{
9912 name: "TLS13-AlwaysSelectPSKIdentity",
9913 config: Config{
9914 MaxVersion: VersionTLS13,
9915 Bugs: ProtocolBugs{
9916 AlwaysSelectPSKIdentity: true,
9917 },
9918 },
9919 shouldFail: true,
9920 expectedError: ":UNEXPECTED_EXTENSION:",
9921 })
9922
9923 testCases = append(testCases, testCase{
9924 name: "TLS13-InvalidPSKIdentity",
9925 config: Config{
9926 MaxVersion: VersionTLS13,
9927 Bugs: ProtocolBugs{
9928 SelectPSKIdentityOnResume: 1,
9929 },
9930 },
9931 resumeSession: true,
9932 shouldFail: true,
9933 expectedError: ":PSK_IDENTITY_NOT_FOUND:",
9934 })
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9935
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9936 testCases = append(testCases, testCase{
9937 testType: serverTest,
9938 name: "TLS13-ExtraPSKIdentity",
9939 config: Config{
9940 MaxVersion: VersionTLS13,
9941 Bugs: ProtocolBugs{
David Benjaminaedf3032016-12-01 16:47:56 -0500[diff] [blame]9942 ExtraPSKIdentity: true,
9943 SendExtraPSKBinder: true,
Steven Valdezaf3b8a92016-11-01 12:49:22 -0400[diff] [blame]9944 },
9945 },
9946 resumeSession: true,
9947 })
9948
David Benjamin1286bee2016-10-07 15:25:06 -0400[diff] [blame]9949 // Test that unknown NewSessionTicket extensions are tolerated.
9950 testCases = append(testCases, testCase{
9951 name: "TLS13-CustomTicketExtension",
9952 config: Config{
9953 MaxVersion: VersionTLS13,
9954 Bugs: ProtocolBugs{
9955 CustomTicketExtension: "1234",
9956 },
9957 },
9958 })
Steven Valdez2d850622017-01-11 11:34:52 -0500[diff] [blame]9959
9960 // Test that we accept data-less early data.
9961 testCases = append(testCases, testCase{
9962 testType: serverTest,
9963 name: "TLS13-DataLessEarlyData-Server",
9964 config: Config{
9965 MaxVersion: VersionTLS13,
9966 Bugs: ProtocolBugs{
9967 SendEarlyData: [][]byte{},
9968 ExpectEarlyDataAccepted: true,
9969 },
9970 },
9971 resumeSession: true,
9972 flags: []string{
9973 "-enable-early-data",
9974 "-expect-accept-early-data",
9975 },
9976 })
9977
9978 testCases = append(testCases, testCase{
9979 testType: clientTest,
9980 name: "TLS13-DataLessEarlyData-Client",
9981 config: Config{
9982 MaxVersion: VersionTLS13,
9983 MaxEarlyDataSize: 16384,
9984 },
9985 resumeSession: true,
9986 flags: []string{
9987 "-enable-early-data",
9988 "-expect-early-data-info",
9989 "-expect-accept-early-data",
9990 },
9991 })
9992
9993 testCases = append(testCases, testCase{
9994 testType: clientTest,
9995 name: "TLS13-DataLessEarlyData-Reject-Client",
9996 config: Config{
9997 MaxVersion: VersionTLS13,
9998 MaxEarlyDataSize: 16384,
9999 },
10000 resumeConfig: &Config{
10001 MaxVersion: VersionTLS13,
10002 MaxEarlyDataSize: 16384,
10003 Bugs: ProtocolBugs{
10004 AlwaysRejectEarlyData: true,
10005 },
10006 },
10007 resumeSession: true,
10008 flags: []string{
10009 "-enable-early-data",
10010 "-expect-early-data-info",
10011 "-expect-reject-early-data",
10012 },
10013 })
10014
10015 testCases = append(testCases, testCase{
10016 testType: clientTest,
10017 name: "TLS13-DataLessEarlyData-HRR-Client",
10018 config: Config{
10019 MaxVersion: VersionTLS13,
10020 MaxEarlyDataSize: 16384,
10021 },
10022 resumeConfig: &Config{
10023 MaxVersion: VersionTLS13,
10024 MaxEarlyDataSize: 16384,
10025 Bugs: ProtocolBugs{
10026 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10027 },
10028 },
10029 resumeSession: true,
10030 flags: []string{
10031 "-enable-early-data",
10032 "-expect-early-data-info",
10033 "-expect-reject-early-data",
10034 },
10035 })
10036
10037 // The client must check the server does not send the early_data
10038 // extension while rejecting the session.
10039 testCases = append(testCases, testCase{
10040 testType: clientTest,
10041 name: "TLS13-EarlyDataWithoutResume-Client",
10042 config: Config{
10043 MaxVersion: VersionTLS13,
10044 MaxEarlyDataSize: 16384,
10045 },
10046 resumeConfig: &Config{
10047 MaxVersion: VersionTLS13,
10048 SessionTicketsDisabled: true,
10049 Bugs: ProtocolBugs{
10050 SendEarlyDataExtension: true,
10051 },
10052 },
10053 resumeSession: true,
10054 flags: []string{
10055 "-enable-early-data",
10056 "-expect-early-data-info",
10057 },
10058 shouldFail: true,
10059 expectedError: ":UNEXPECTED_EXTENSION:",
10060 })
10061
10062 // The client must fail with a dedicated error code if the server
10063 // responds with TLS 1.2 when offering 0-RTT.
10064 testCases = append(testCases, testCase{
10065 testType: clientTest,
10066 name: "TLS13-EarlyDataVersionDowngrade-Client",
10067 config: Config{
10068 MaxVersion: VersionTLS13,
10069 MaxEarlyDataSize: 16384,
10070 },
10071 resumeConfig: &Config{
10072 MaxVersion: VersionTLS12,
10073 },
10074 resumeSession: true,
10075 flags: []string{
10076 "-enable-early-data",
10077 "-expect-early-data-info",
10078 },
10079 shouldFail: true,
10080 expectedError: ":WRONG_VERSION_ON_EARLY_DATA:",
10081 })
10082
10083 // Test that the client rejects an (unsolicited) early_data extension if
10084 // the server sent an HRR.
10085 testCases = append(testCases, testCase{
10086 testType: clientTest,
10087 name: "TLS13-ServerAcceptsEarlyDataOnHRR-Client",
10088 config: Config{
10089 MaxVersion: VersionTLS13,
10090 MaxEarlyDataSize: 16384,
10091 },
10092 resumeConfig: &Config{
10093 MaxVersion: VersionTLS13,
10094 MaxEarlyDataSize: 16384,
10095 Bugs: ProtocolBugs{
10096 SendHelloRetryRequestCookie: []byte{1, 2, 3, 4},
10097 SendEarlyDataExtension: true,
10098 },
10099 },
10100 resumeSession: true,
10101 flags: []string{
10102 "-enable-early-data",
10103 "-expect-early-data-info",
10104 },
10105 shouldFail: true,
10106 expectedError: ":UNEXPECTED_EXTENSION:",
10107 })
10108
10109 fooString := "foo"
10110 barString := "bar"
10111
10112 // Test that the client reports the correct ALPN after a 0-RTT reject
10113 // that changed it.
10114 testCases = append(testCases, testCase{
10115 testType: clientTest,
10116 name: "TLS13-DataLessEarlyData-ALPNMismatch-Client",
10117 config: Config{
10118 MaxVersion: VersionTLS13,
10119 MaxEarlyDataSize: 16384,
10120 Bugs: ProtocolBugs{
10121 ALPNProtocol: &fooString,
10122 },
10123 },
10124 resumeConfig: &Config{
10125 MaxVersion: VersionTLS13,
10126 MaxEarlyDataSize: 16384,
10127 Bugs: ProtocolBugs{
10128 ALPNProtocol: &barString,
10129 },
10130 },
10131 resumeSession: true,
10132 flags: []string{
10133 "-advertise-alpn", "\x03foo\x03bar",
10134 "-enable-early-data",
10135 "-expect-early-data-info",
10136 "-expect-reject-early-data",
10137 "-expect-alpn", "foo",
10138 "-expect-resume-alpn", "bar",
10139 },
10140 })
10141
10142 // Test that the client reports the correct ALPN after a 0-RTT reject if
10143 // ALPN was omitted from the first connection.
10144 testCases = append(testCases, testCase{
10145 testType: clientTest,
10146 name: "TLS13-DataLessEarlyData-ALPNOmitted1-Client",
10147 config: Config{
10148 MaxVersion: VersionTLS13,
10149 MaxEarlyDataSize: 16384,
10150 },
10151 resumeConfig: &Config{
10152 MaxVersion: VersionTLS13,
10153 MaxEarlyDataSize: 16384,
10154 NextProtos: []string{"foo"},
10155 },
10156 resumeSession: true,
10157 flags: []string{
10158 "-advertise-alpn", "\x03foo\x03bar",
10159 "-enable-early-data",
10160 "-expect-early-data-info",
10161 "-expect-reject-early-data",
10162 "-expect-no-alpn",
10163 "-expect-resume-alpn", "foo",
10164 },
10165 })
10166
10167 // Test that the client reports the correct ALPN after a 0-RTT reject if
10168 // ALPN was omitted from the second connection.
10169 testCases = append(testCases, testCase{
10170 testType: clientTest,
10171 name: "TLS13-DataLessEarlyData-ALPNOmitted2-Client",
10172 config: Config{
10173 MaxVersion: VersionTLS13,
10174 MaxEarlyDataSize: 16384,
10175 NextProtos: []string{"foo"},
10176 },
10177 resumeConfig: &Config{
10178 MaxVersion: VersionTLS13,
10179 MaxEarlyDataSize: 16384,
10180 },
10181 resumeSession: true,
10182 flags: []string{
10183 "-advertise-alpn", "\x03foo\x03bar",
10184 "-enable-early-data",
10185 "-expect-early-data-info",
10186 "-expect-reject-early-data",
10187 "-expect-alpn", "foo",
10188 "-expect-no-resume-alpn",
10189 },
10190 })
10191
10192 // Test that the client enforces ALPN match on 0-RTT accept.
10193 testCases = append(testCases, testCase{
10194 testType: clientTest,
10195 name: "TLS13-DataLessEarlyData-BadALPNMismatch-Client",
10196 config: Config{
10197 MaxVersion: VersionTLS13,
10198 MaxEarlyDataSize: 16384,
10199 Bugs: ProtocolBugs{
10200 ALPNProtocol: &fooString,
10201 },
10202 },
10203 resumeConfig: &Config{
10204 MaxVersion: VersionTLS13,
10205 MaxEarlyDataSize: 16384,
10206 Bugs: ProtocolBugs{
10207 AlwaysAcceptEarlyData: true,
10208 ALPNProtocol: &barString,
10209 },
10210 },
10211 resumeSession: true,
10212 flags: []string{
10213 "-advertise-alpn", "\x03foo\x03bar",
10214 "-enable-early-data",
10215 "-expect-early-data-info",
10216 },
10217 shouldFail: true,
10218 expectedError: ":ALPN_MISMATCH_ON_EARLY_DATA:",
10219 })
10220
10221 // Test that the server correctly rejects 0-RTT when the previous
10222 // session did not allow early data on resumption.
10223 testCases = append(testCases, testCase{
10224 testType: serverTest,
10225 name: "TLS13-EarlyData-NonZeroRTTSession-Server",
10226 config: Config{
10227 MaxVersion: VersionTLS13,
10228 },
10229 resumeConfig: &Config{
10230 MaxVersion: VersionTLS13,
10231 Bugs: ProtocolBugs{
10232 SendEarlyData: [][]byte{{}},
10233 ExpectEarlyDataAccepted: false,
10234 },
10235 },
10236 resumeSession: true,
10237 flags: []string{
10238 "-enable-resume-early-data",
10239 "-expect-reject-early-data",
10240 },
10241 })
10242
10243 // Test that we reject early data where ALPN is omitted from the first
10244 // connection.
10245 testCases = append(testCases, testCase{
10246 testType: serverTest,
10247 name: "TLS13-EarlyData-ALPNOmitted1-Server",
10248 config: Config{
10249 MaxVersion: VersionTLS13,
10250 NextProtos: []string{},
10251 },
10252 resumeConfig: &Config{
10253 MaxVersion: VersionTLS13,
10254 NextProtos: []string{"foo"},
10255 Bugs: ProtocolBugs{
10256 SendEarlyData: [][]byte{{}},
10257 ExpectEarlyDataAccepted: false,
10258 },
10259 },
10260 resumeSession: true,
10261 flags: []string{
10262 "-enable-early-data",
10263 "-select-alpn", "",
10264 "-select-resume-alpn", "foo",
10265 },
10266 })
10267
10268 // Test that we reject early data where ALPN is omitted from the second
10269 // connection.
10270 testCases = append(testCases, testCase{
10271 testType: serverTest,
10272 name: "TLS13-EarlyData-ALPNOmitted2-Server",
10273 config: Config{
10274 MaxVersion: VersionTLS13,
10275 NextProtos: []string{"foo"},
10276 },
10277 resumeConfig: &Config{
10278 MaxVersion: VersionTLS13,
10279 NextProtos: []string{},
10280 Bugs: ProtocolBugs{
10281 SendEarlyData: [][]byte{{}},
10282 ExpectEarlyDataAccepted: false,
10283 },
10284 },
10285 resumeSession: true,
10286 flags: []string{
10287 "-enable-early-data",
10288 "-select-alpn", "foo",
10289 "-select-resume-alpn", "",
10290 },
10291 })
10292
10293 // Test that we reject early data with mismatched ALPN.
10294 testCases = append(testCases, testCase{
10295 testType: serverTest,
10296 name: "TLS13-EarlyData-ALPNMismatch-Server",
10297 config: Config{
10298 MaxVersion: VersionTLS13,
10299 NextProtos: []string{"foo"},
10300 },
10301 resumeConfig: &Config{
10302 MaxVersion: VersionTLS13,
10303 NextProtos: []string{"bar"},
10304 Bugs: ProtocolBugs{
10305 SendEarlyData: [][]byte{{}},
10306 ExpectEarlyDataAccepted: false,
10307 },
10308 },
10309 resumeSession: true,
10310 flags: []string{
10311 "-enable-early-data",
10312 "-select-alpn", "foo",
10313 "-select-resume-alpn", "bar",
10314 },
10315 })
10316
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10317}
10318
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10319func addTLS13CipherPreferenceTests() {
10320 // Test that client preference is honored if the shim has AES hardware
10321 // and ChaCha20-Poly1305 is preferred otherwise.
10322 testCases = append(testCases, testCase{
10323 testType: serverTest,
10324 name: "TLS13-CipherPreference-Server-ChaCha20-AES",
10325 config: Config{
10326 MaxVersion: VersionTLS13,
10327 CipherSuites: []uint16{
10328 TLS_CHACHA20_POLY1305_SHA256,
10329 TLS_AES_128_GCM_SHA256,
10330 },
10331 },
10332 flags: []string{
10333 "-expect-cipher-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10334 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10335 },
10336 })
10337
10338 testCases = append(testCases, testCase{
10339 testType: serverTest,
10340 name: "TLS13-CipherPreference-Server-AES-ChaCha20",
10341 config: Config{
10342 MaxVersion: VersionTLS13,
10343 CipherSuites: []uint16{
10344 TLS_AES_128_GCM_SHA256,
10345 TLS_CHACHA20_POLY1305_SHA256,
10346 },
10347 },
10348 flags: []string{
10349 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10350 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10351 },
10352 })
10353
10354 // Test that the client orders ChaCha20-Poly1305 and AES-GCM based on
10355 // whether it has AES hardware.
10356 testCases = append(testCases, testCase{
10357 name: "TLS13-CipherPreference-Client",
10358 config: Config{
10359 MaxVersion: VersionTLS13,
10360 // Use the client cipher order. (This is the default but
10361 // is listed to be explicit.)
10362 PreferServerCipherSuites: false,
10363 },
10364 flags: []string{
10365 "-expect-cipher-aes", strconv.Itoa(int(TLS_AES_128_GCM_SHA256)),
10366 "-expect-cipher-no-aes", strconv.Itoa(int(TLS_CHACHA20_POLY1305_SHA256)),
10367 },
10368 })
10369}
10370
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10371func addPeekTests() {
10372 // Test SSL_peek works, including on empty records.
10373 testCases = append(testCases, testCase{
10374 name: "Peek-Basic",
10375 sendEmptyRecords: 1,
10376 flags: []string{"-peek-then-read"},
10377 })
10378
10379 // Test SSL_peek can drive the initial handshake.
10380 testCases = append(testCases, testCase{
10381 name: "Peek-ImplicitHandshake",
10382 flags: []string{
10383 "-peek-then-read",
10384 "-implicit-handshake",
10385 },
10386 })
10387
10388 // Test SSL_peek can discover and drive a renegotiation.
10389 testCases = append(testCases, testCase{
10390 name: "Peek-Renegotiate",
10391 config: Config{
10392 MaxVersion: VersionTLS12,
10393 },
10394 renegotiate: 1,
10395 flags: []string{
10396 "-peek-then-read",
10397 "-renegotiate-freely",
10398 "-expect-total-renegotiations", "1",
10399 },
10400 })
10401
10402 // Test SSL_peek can discover a close_notify.
10403 testCases = append(testCases, testCase{
10404 name: "Peek-Shutdown",
10405 config: Config{
10406 Bugs: ProtocolBugs{
10407 ExpectCloseNotify: true,
10408 },
10409 },
10410 flags: []string{
10411 "-peek-then-read",
10412 "-check-close-notify",
10413 },
10414 })
10415
10416 // Test SSL_peek can discover an alert.
10417 testCases = append(testCases, testCase{
10418 name: "Peek-Alert",
10419 config: Config{
10420 Bugs: ProtocolBugs{
10421 SendSpuriousAlert: alertRecordOverflow,
10422 },
10423 },
10424 flags: []string{"-peek-then-read"},
10425 shouldFail: true,
10426 expectedError: ":TLSV1_ALERT_RECORD_OVERFLOW:",
10427 })
10428
10429 // Test SSL_peek can handle KeyUpdate.
10430 testCases = append(testCases, testCase{
10431 name: "Peek-KeyUpdate",
10432 config: Config{
10433 MaxVersion: VersionTLS13,
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10434 },
Steven Valdezc4aa7272016-10-03 12:25:56 -0400[diff] [blame]10435 sendKeyUpdates: 1,
10436 keyUpdateRequest: keyUpdateNotRequested,
10437 flags: []string{"-peek-then-read"},
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10438 })
10439}
10440
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10441func addRecordVersionTests() {
10442 for _, ver := range tlsVersions {
10443 // Test that the record version is enforced.
10444 testCases = append(testCases, testCase{
10445 name: "CheckRecordVersion-" + ver.name,
10446 config: Config{
10447 MinVersion: ver.version,
10448 MaxVersion: ver.version,
10449 Bugs: ProtocolBugs{
10450 SendRecordVersion: 0x03ff,
10451 },
10452 },
10453 shouldFail: true,
10454 expectedError: ":WRONG_VERSION_NUMBER:",
10455 })
10456
10457 // Test that the ClientHello may use any record version, for
10458 // compatibility reasons.
10459 testCases = append(testCases, testCase{
10460 testType: serverTest,
10461 name: "LooseInitialRecordVersion-" + ver.name,
10462 config: Config{
10463 MinVersion: ver.version,
10464 MaxVersion: ver.version,
10465 Bugs: ProtocolBugs{
10466 SendInitialRecordVersion: 0x03ff,
10467 },
10468 },
10469 })
10470
10471 // Test that garbage ClientHello record versions are rejected.
10472 testCases = append(testCases, testCase{
10473 testType: serverTest,
10474 name: "GarbageInitialRecordVersion-" + ver.name,
10475 config: Config{
10476 MinVersion: ver.version,
10477 MaxVersion: ver.version,
10478 Bugs: ProtocolBugs{
10479 SendInitialRecordVersion: 0xffff,
10480 },
10481 },
10482 shouldFail: true,
10483 expectedError: ":WRONG_VERSION_NUMBER:",
10484 })
10485 }
10486}
10487
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10488func addCertificateTests() {
10489 // Test that a certificate chain with intermediate may be sent and
10490 // received as both client and server.
10491 for _, ver := range tlsVersions {
10492 testCases = append(testCases, testCase{
10493 testType: clientTest,
10494 name: "SendReceiveIntermediate-Client-" + ver.name,
10495 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10496 MinVersion: ver.version,
10497 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10498 Certificates: []Certificate{rsaChainCertificate},
10499 ClientAuth: RequireAnyClientCert,
10500 },
10501 expectPeerCertificate: &rsaChainCertificate,
10502 flags: []string{
10503 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10504 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10505 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10506 },
10507 })
10508
10509 testCases = append(testCases, testCase{
10510 testType: serverTest,
10511 name: "SendReceiveIntermediate-Server-" + ver.name,
10512 config: Config{
Adam Langleycd6cfb02016-12-06 15:11:00 -0800[diff] [blame]10513 MinVersion: ver.version,
10514 MaxVersion: ver.version,
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10515 Certificates: []Certificate{rsaChainCertificate},
10516 },
10517 expectPeerCertificate: &rsaChainCertificate,
10518 flags: []string{
10519 "-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10520 "-key-file", path.Join(*resourceDir, rsaChainKeyFile),
10521 "-require-any-client-certificate",
10522 "-expect-peer-cert-file", path.Join(*resourceDir, rsaChainCertificateFile),
10523 },
10524 })
10525 }
10526}
10527
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10528func addRetainOnlySHA256ClientCertTests() {
10529 for _, ver := range tlsVersions {
10530 // Test that enabling
10531 // SSL_CTX_set_retain_only_sha256_of_client_certs without
10532 // actually requesting a client certificate is a no-op.
10533 testCases = append(testCases, testCase{
10534 testType: serverTest,
10535 name: "RetainOnlySHA256-NoCert-" + ver.name,
10536 config: Config{
10537 MinVersion: ver.version,
10538 MaxVersion: ver.version,
10539 },
10540 flags: []string{
10541 "-retain-only-sha256-client-cert-initial",
10542 "-retain-only-sha256-client-cert-resume",
10543 },
10544 resumeSession: true,
10545 })
10546
10547 // Test that when retaining only a SHA-256 certificate is
10548 // enabled, the hash appears as expected.
10549 testCases = append(testCases, testCase{
10550 testType: serverTest,
10551 name: "RetainOnlySHA256-Cert-" + ver.name,
10552 config: Config{
10553 MinVersion: ver.version,
10554 MaxVersion: ver.version,
10555 Certificates: []Certificate{rsaCertificate},
10556 },
10557 flags: []string{
10558 "-verify-peer",
10559 "-retain-only-sha256-client-cert-initial",
10560 "-retain-only-sha256-client-cert-resume",
10561 "-expect-sha256-client-cert-initial",
10562 "-expect-sha256-client-cert-resume",
10563 },
10564 resumeSession: true,
10565 })
10566
10567 // Test that when the config changes from on to off, a
10568 // resumption is rejected because the server now wants the full
10569 // certificate chain.
10570 testCases = append(testCases, testCase{
10571 testType: serverTest,
10572 name: "RetainOnlySHA256-OnOff-" + ver.name,
10573 config: Config{
10574 MinVersion: ver.version,
10575 MaxVersion: ver.version,
10576 Certificates: []Certificate{rsaCertificate},
10577 },
10578 flags: []string{
10579 "-verify-peer",
10580 "-retain-only-sha256-client-cert-initial",
10581 "-expect-sha256-client-cert-initial",
10582 },
10583 resumeSession: true,
10584 expectResumeRejected: true,
10585 })
10586
10587 // Test that when the config changes from off to on, a
10588 // resumption is rejected because the server now wants just the
10589 // hash.
10590 testCases = append(testCases, testCase{
10591 testType: serverTest,
10592 name: "RetainOnlySHA256-OffOn-" + ver.name,
10593 config: Config{
10594 MinVersion: ver.version,
10595 MaxVersion: ver.version,
10596 Certificates: []Certificate{rsaCertificate},
10597 },
10598 flags: []string{
10599 "-verify-peer",
10600 "-retain-only-sha256-client-cert-resume",
10601 "-expect-sha256-client-cert-resume",
10602 },
10603 resumeSession: true,
10604 expectResumeRejected: true,
10605 })
10606 }
10607}
10608
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10609func addECDSAKeyUsageTests() {
10610 p256 := elliptic.P256()
10611 priv, err := ecdsa.GenerateKey(p256, rand.Reader)
10612 if err != nil {
10613 panic(err)
10614 }
10615
10616 serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
10617 serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
10618 if err != nil {
10619 panic(err)
10620 }
10621
10622 template := x509.Certificate{
10623 SerialNumber: serialNumber,
10624 Subject: pkix.Name{
10625 Organization: []string{"Acme Co"},
10626 },
10627 NotBefore: time.Now(),
10628 NotAfter: time.Now(),
10629
10630 // An ECC certificate with only the keyAgreement key usgae may
10631 // be used with ECDH, but not ECDSA.
10632 KeyUsage: x509.KeyUsageKeyAgreement,
10633 ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth},
10634 BasicConstraintsValid: true,
10635 }
10636
10637 derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
10638 if err != nil {
10639 panic(err)
10640 }
10641
10642 cert := Certificate{
10643 Certificate: [][]byte{derBytes},
10644 PrivateKey: priv,
10645 }
10646
10647 for _, ver := range tlsVersions {
10648 if ver.version < VersionTLS12 {
10649 continue
10650 }
10651
10652 testCases = append(testCases, testCase{
10653 testType: clientTest,
10654 name: "ECDSAKeyUsage-" + ver.name,
10655 config: Config{
10656 MinVersion: ver.version,
10657 MaxVersion: ver.version,
10658 Certificates: []Certificate{cert},
10659 },
10660 shouldFail: true,
10661 expectedError: ":ECC_CERT_NOT_FOR_SIGNING:",
10662 })
10663 }
10664}
10665
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10666func worker(statusChan chan statusMsg, c chan *testCase, shimPath string, wg *sync.WaitGroup) {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10667 defer wg.Done()
10668
10669 for test := range c {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10670 var err error
10671
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10672 if *mallocTest >= 0 {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10673 for mallocNumToFail := int64(*mallocTest); ; mallocNumToFail++ {
10674 statusChan <- statusMsg{test: test, started: true}
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10675 if err = runTest(test, shimPath, mallocNumToFail); err != errMoreMallocs {
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10676 if err != nil {
10677 fmt.Printf("\n\nmalloc test failed at %d: %s\n", mallocNumToFail, err)
10678 }
10679 break
10680 }
10681 }
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10682 } else if *repeatUntilFailure {
10683 for err == nil {
10684 statusChan <- statusMsg{test: test, started: true}
10685 err = runTest(test, shimPath, -1)
10686 }
10687 } else {
10688 statusChan <- statusMsg{test: test, started: true}
10689 err = runTest(test, shimPath, -1)
Adam Langley69a01602014-11-17 17:26:55 -0800[diff] [blame]10690 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10691 statusChan <- statusMsg{test: test, err: err}
10692 }
10693}
10694
10695type statusMsg struct {
10696 test *testCase
10697 started bool
10698 err error
10699}
10700
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10701func statusPrinter(doneChan chan *testOutput, statusChan chan statusMsg, total int) {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10702 var started, done, failed, unimplemented, lineLen int
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10703
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10704 testOutput := newTestOutput()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10705 for msg := range statusChan {
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10706 if !*pipe {
10707 // Erase the previous status line.
David Benjamin87c8a642015-02-21 01:54:29 -0500[diff] [blame]10708 var erase string
10709 for i := 0; i < lineLen; i++ {
10710 erase += "\b \b"
10711 }
10712 fmt.Print(erase)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10713 }
10714
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10715 if msg.started {
10716 started++
10717 } else {
10718 done++
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10719
10720 if msg.err != nil {
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10721 if msg.err == errUnimplemented {
10722 if *pipe {
10723 // Print each test instead of a status line.
10724 fmt.Printf("UNIMPLEMENTED (%s)\n", msg.test.name)
10725 }
10726 unimplemented++
10727 testOutput.addResult(msg.test.name, "UNIMPLEMENTED")
10728 } else {
10729 fmt.Printf("FAILED (%s)\n%s\n", msg.test.name, msg.err)
10730 failed++
10731 testOutput.addResult(msg.test.name, "FAIL")
10732 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10733 } else {
10734 if *pipe {
10735 // Print each test instead of a status line.
10736 fmt.Printf("PASSED (%s)\n", msg.test.name)
10737 }
10738 testOutput.addResult(msg.test.name, "PASS")
10739 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10740 }
10741
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10742 if !*pipe {
10743 // Print a new status line.
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10744 line := fmt.Sprintf("%d/%d/%d/%d/%d", failed, unimplemented, done, started, total)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10745 lineLen = len(line)
10746 os.Stdout.WriteString(line)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10747 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10748 }
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10749
10750 doneChan <- testOutput
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10751}
10752
10753func main() {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10754 flag.Parse()
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10755 *resourceDir = path.Clean(*resourceDir)
David Benjamin33863262016-07-08 17:20:12 -0700[diff] [blame]10756 initCertificates()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10757
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10758 addBasicTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10759 addCipherSuiteTests()
10760 addBadECDSASignatureTests()
Adam Langley80842bd2014-06-20 12:00:00 -0700[diff] [blame]10761 addCBCPaddingTests()
Kenny Root7fdeaf12014-08-05 15:23:37 -0700[diff] [blame]10762 addCBCSplittingTests()
David Benjamin636293b2014-07-08 17:59:18 -0400[diff] [blame]10763 addClientAuthTests()
Adam Langley524e7172015-02-20 16:04:00 -0800[diff] [blame]10764 addDDoSCallbackTests()
David Benjamin7e2e6cf2014-08-07 17:44:24 -0400[diff] [blame]10765 addVersionNegotiationTests()
David Benjaminaccb4542014-12-12 23:44:33 -0500[diff] [blame]10766 addMinimumVersionTests()
David Benjamine78bfde2014-09-06 12:45:15 -0400[diff] [blame]10767 addExtensionTests()
David Benjamin01fe8202014-09-24 15:21:44 -0400[diff] [blame]10768 addResumptionVersionTests()
Adam Langley75712922014-10-10 16:23:43 -0700[diff] [blame]10769 addExtendedMasterSecretTests()
Adam Langley2ae77d22014-10-28 17:29:33 -0700[diff] [blame]10770 addRenegotiationTests()
David Benjamin5e961c12014-11-07 01:48:35 -0500[diff] [blame]10771 addDTLSReplayTests()
Nick Harper60edffd2016-06-21 15:19:24 -0700[diff] [blame]10772 addSignatureAlgorithmTests()
David Benjamin83f90402015-01-27 01:09:43 -0500[diff] [blame]10773 addDTLSRetransmitTests()
David Benjaminc565ebb2015-04-03 04:06:36 -0400[diff] [blame]10774 addExportKeyingMaterialTests()
Adam Langleyaf0e32c2015-06-03 09:57:23 -0700[diff] [blame]10775 addTLSUniqueTests()
Adam Langley09505632015-07-30 18:10:13 -0700[diff] [blame]10776 addCustomExtensionTests()
David Benjaminb36a3952015-12-01 18:53:13 -0500[diff] [blame]10777 addRSAClientKeyExchangeTests()
David Benjamin8c2b3bf2015-12-18 20:55:44 -0500[diff] [blame]10778 addCurveTests()
Steven Valdez5b986082016-09-01 12:29:49 -0400[diff] [blame]10779 addSessionTicketTests()
David Benjaminc9ae27c2016-06-24 22:56:37 -0400[diff] [blame]10780 addTLS13RecordTests()
David Benjamin582ba042016-07-07 12:33:25 -0700[diff] [blame]10781 addAllStateMachineCoverageTests()
David Benjamin82261be2016-07-07 14:32:50 -0700[diff] [blame]10782 addChangeCipherSpecTests()
David Benjamin0b8d5da2016-07-15 00:39:56 -0400[diff] [blame]10783 addWrongMessageTypeTests()
David Benjamin639846e2016-09-09 11:41:18 -0400[diff] [blame]10784 addTrailingMessageDataTests()
Steven Valdez143e8b32016-07-11 13:19:03 -0400[diff] [blame]10785 addTLS13HandshakeTests()
David Benjaminabbbee12016-10-31 19:20:42 -0400[diff] [blame]10786 addTLS13CipherPreferenceTests()
David Benjaminf3fbade2016-09-19 13:08:16 -0400[diff] [blame]10787 addPeekTests()
David Benjamine6f22212016-11-08 14:28:24 -0500[diff] [blame]10788 addRecordVersionTests()
David Benjamin2c516452016-11-15 10:16:54 +0900[diff] [blame]10789 addCertificateTests()
David Benjaminbbaf3672016-11-17 10:53:09 +0900[diff] [blame]10790 addRetainOnlySHA256ClientCertTests()
Adam Langleya4b91982016-12-12 12:05:53 -0800[diff] [blame]10791 addECDSAKeyUsageTests()
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10792
10793 var wg sync.WaitGroup
10794
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10795 statusChan := make(chan statusMsg, *numWorkers)
10796 testChan := make(chan *testCase, *numWorkers)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10797 doneChan := make(chan *testOutput)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10798
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10799 if len(*shimConfigFile) != 0 {
10800 encoded, err := ioutil.ReadFile(*shimConfigFile)
10801 if err != nil {
10802 fmt.Fprintf(os.Stderr, "Couldn't read config file %q: %s\n", *shimConfigFile, err)
10803 os.Exit(1)
10804 }
10805
10806 if err := json.Unmarshal(encoded, &shimConfig); err != nil {
10807 fmt.Fprintf(os.Stderr, "Couldn't decode config file %q: %s\n", *shimConfigFile, err)
10808 os.Exit(1)
10809 }
10810 }
10811
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10812 go statusPrinter(doneChan, statusChan, len(testCases))
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10813
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10814 for i := 0; i < *numWorkers; i++ {
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10815 wg.Add(1)
Adam Langley7c803a62015-06-15 15:35:05 -0700[diff] [blame]10816 go worker(statusChan, testChan, *shimPath, &wg)
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10817 }
10818
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10819 var foundTest bool
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10820 for i := range testCases {
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10821 matched := true
10822 if len(*testToRun) != 0 {
10823 var err error
10824 matched, err = filepath.Match(*testToRun, testCases[i].name)
10825 if err != nil {
10826 fmt.Fprintf(os.Stderr, "Error matching pattern: %s\n", err)
10827 os.Exit(1)
10828 }
10829 }
10830
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10831 if !*includeDisabled {
10832 for pattern := range shimConfig.DisabledTests {
10833 isDisabled, err := filepath.Match(pattern, testCases[i].name)
10834 if err != nil {
10835 fmt.Fprintf(os.Stderr, "Error matching pattern %q from config file: %s\n", pattern, err)
10836 os.Exit(1)
10837 }
10838
10839 if isDisabled {
10840 matched = false
10841 break
10842 }
10843 }
10844 }
10845
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10846 if matched {
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10847 foundTest = true
David Benjamin025b3d32014-07-01 19:53:04 -0400[diff] [blame]10848 testChan <- &testCases[i]
David Benjaminba28dfc2016-11-15 17:47:21 +0900[diff] [blame]10849
10850 // Only run one test if repeating until failure.
10851 if *repeatUntilFailure {
10852 break
10853 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10854 }
10855 }
David Benjamin17e12922016-07-28 18:04:43 -0400[diff] [blame]10856
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10857 if !foundTest {
EKRf71d7ed2016-08-06 13:25:12 -0700[diff] [blame]10858 fmt.Fprintf(os.Stderr, "No tests run\n")
David Benjamin270f0a72016-03-17 14:41:36 -0400[diff] [blame]10859 os.Exit(1)
10860 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10861
10862 close(testChan)
10863 wg.Wait()
10864 close(statusChan)
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10865 testOutput := <-doneChan
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10866
10867 fmt.Printf("\n")
David Benjamin5f237bc2015-02-11 17:14:15 -0500[diff] [blame]10868
10869 if *jsonOutput != "" {
10870 if err := testOutput.writeTo(*jsonOutput); err != nil {
10871 fmt.Fprintf(os.Stderr, "Error: %s\n", err)
10872 }
10873 }
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10874
EKR842ae6c2016-07-27 09:22:05 +0200[diff] [blame]10875 if !*allowUnimplemented && testOutput.NumFailuresByType["UNIMPLEMENTED"] > 0 {
10876 os.Exit(1)
10877 }
10878
10879 if !testOutput.noneFailed {
David Benjamin2ab7a862015-04-04 17:02:18 -0400[diff] [blame]10880 os.Exit(1)
10881 }
Adam Langley95c29f32014-06-20 12:00:00 -0700[diff] [blame]10882}